 We're gonna call this our rack is stupid project, right? We need a new rack, you know we could Just figure out what screw size fits in these holes and just Get some machine screws and tap them into yeah thread Threaded racks are better than this Well, we don't even have one that actually takes rack nuts. That's the problem I don't know rack nuts suck, too. Oh, they do, but I mean it's better than But but it does fire. I'm threaded holes this firewall looks so good in here like that So we decided to replace her old firewall with this neck gate 50 100 and this rack mount I T rack mount kit and This was the real easy part was putting it in actually it It was the setup that I want to talk about and changing over from a completely different firewall to another firewall They both run pf-sense, but there's sometimes some challenges in matching everything up when things aren't exactly the same when you swap things out So now it's all installed and I know someone's gonna complain because of the screws in there But that's why I had the first part of the video. This is a actually this is a tell-com rack that I've had for like 15 years of Putting stuff in it and it doesn't have the proper Screwbackings so it's hard to reach these top ones and two screws is enough someone will criticize it and Complain I just get it out of the way go ahead and complain about it It's not how we do our customer stuff, but for our rack two screws is fine and holding everything perfectly tight All right back to why we're here for the video swapping out pf-sense is Generally not too painful it's people get worried about it and they worry that maybe what they trade out a Pf-sense box are gonna have trouble lining up the networks What'll happen all the firewall rules etc etc and I've done a video a while ago I'm back up in store on pf-sense and it's actually only gotten better because of the way they handle it so We swapped out from a custom build. I wanted to go ahead and use an actual neck eight box Part of the reason for that was you know I've been stocking a lot more neck eight boxes because we install so many of them for clients and I said You know what let's just use a neck eight ourselves because someone has called me out on it going Hey, Tommy, don't you have a custom built one and I'm like, yeah, and it's getting long in a tooth I've had it forever. It's old. It's a really old Zeon and I you know, I just said, okay Let's retire that and put a neck eight fifty one hundred in there and it's perfectly adequate for what we do here at the office and Then I always keep a spare in stock And this is something we do both our clients and of course for us anything critical We try to keep two of because well if something goes down I don't want to wait, you know, even if it's next day or shipping That's a whole day of well no firewall. That would be bad and we kind of need that to get our work done But when swapping and I have so many rules and features and VPNs and lots of settings How do you get all that transported over from a custom built box to a netgate box or vice versa? If you move from a netgate box or early any different box that doesn't match the same There's gonna be an alignment you have to do with the network interfaces, which if it was just that would be pretty easy So let's first just take a look right here So this is PF sense running on my lab and it's running on my lab because it's the easiest way to demo it Everyone seems to ask about virtualizing it and Complaints about the problems they've run into a virtualizing it such as alt Q support in PF sense not being as good Or even missing in some of them And someone's even commented that in a new version of VM where apparently it doesn't I'm not clear if alt Q Is going to be supported. I've seen some trouble on that. I'm not a big fan of virtualizing it It just it seems to be more trouble than it's worth it I've had people with little hiccups and bugs that went away as soon as they went back to real hardware enough of that talk, but for demonstration purposes, it's way easier to virtualize it and so we have when at Xn0 LAN Xn1 and right here Xn2 and What these are is each one of the network interfaces on here when you add them in Xen they get added as Xn accept when you add ones that are SRI OV so my Zen server does have a 10 gig card that does support SRI view Basically, it's a virtualized version of pasture and I set it up on here for demonstration purposes There's not only not too much to configuring it You can Google how to add SRO EV But it does require it at the motherboard and the network card support it But back to the point here we can go ahead and take this card and we've attached it to it And we're gonna go ahead and look right here inside of our up and running PF sense and we're gonna look at the interfaces assignments And we see we have this extra network card just not in use hanging out there So here's this one's but let's the goal really I want to take this not Xn0 But I Xv0 and make it the new WAN so a couple ways we can do it first We can just go here to the council and change interfaces Absolutely easy way to do it. You go to assign interfaces hit one and There the options are so if we wanted to swap out which one belonged to which and rewrite all the interfaces Restart the firewall, but I want to talk about doing it via the backup method The reason I bring it up doing this way is because you can back up and restore a lot more And we're gonna talk a little about the XML config file that comes with the system. So we're gonna go over here and Let's go to the PF sense Diagnostics backup restore we're gonna download the file And I have it right here and we're gonna go ahead and open it up with an editor Don't open this up a notepad because it can leave extra spaces in there Use a proper editor or use Vim make sure it's an editor. It's made for editing files without adding any extra Rapper on spaces. So whatever your editor of your choice for me It's the genie editor in here in Linux, but this works perfectly fine so what we're looking at is the entire config file for everything inside of here and So let's take a look at how we swap the network interfaces. So we go here Interfaces assignments we have xn0 as WAN and I x v0 as what we want to be WAN Well, the real simple way to do it. We're going to control F. We're going to say and 0 and There it is it actually only occurs once so right here's interfaces WAN and there's the interface All the rules and everything are attached to what you called your WAN interface So we call this one WAN so all the rules are attached to the WAN interface So once we change the actual physical layer of it here to the New interface then all the rules and everything follow it So when you go over here and back over real quick just to show you so I X v0 I'm just gonna type that in right here. I X v0 We're gonna go ahead and just do a save as We'll call this New WAN It's saved. So we have a separate file name this one saved But all the rules that are attached to it. So it's just when you go to firewall rules It's not many. I just have a couple here for dark stat allow us to sage etc Those are going to copy over to the new interface automatically because it's named the same. It's so called WAN so we're gonna go here and This is saved just close it diagnostics back up restore choose file new WAN and Go ahead and restore all you could just do the interfaces We'll do just a full restore of the system I wanted to I didn't really change anything of course But we're gonna get to that next and show what happens when you do a more drastic change The firewall configuration has been updated firewalls now rebooting go over here to the interface here You'll watch it go through the reboot process And there it kicks off and we'll fast forward to this real quick while it reboots All right, the system's rebooted and you can see WAN is now assigned to I Xv zero and it did get a new IP address because There's a new MAC address. So it got handed a new IP address so we can log into it and Because it was a full reinstall it says Package process finished successfully and what it does is it'll reevaluate the packages and see if there's changes from what it has And goes, okay, I'm gonna change everything Naturally it for restoring it. So if you were to and for me, we'll get more specific to my use case here with our XG 51 SG 51 100 there was a lot of changes that we had in the network interfaces So I had to reassign all the different interfaces to match Because of the custom it a custom machine we had to the way the interface names are on that one But that's not where we had to stop. So it turns out and all of the system settings, for example I had a whole lot of system tunables that I had changed over the time I had a lot of things that turned out to be very incompatible when it came to the custom config so when I would try to reboot the 51 100 it would go into basically a non-booting mode and I said, you know There's two ways approach to this and I went ahead went what's not really more difficult But I've decided I didn't want any of those weird settings in my system So we can do a different type of restore. So we're going to go over here to back up and restore And this is what's kind of cool about pfSense is you can do very granular restore So I really only needed my packages my firewall rules To be copied over so I just copied over the interfaces the package and a firewall rules and then the things like open VPN Pretty straightforward the only extra thing I really had to do that requires a manual editing was doing the Certificates so you import expert certificates as well. So let's show a little bit more how that's done And I'll start with like for example, we're going to go ahead and go over to my pfSense backup of our actual pfSense here And this is the one for our office and We're going to go ahead not and store a whole thing But let's go ahead and say let's just restore the package manager for example And I bring this up because one of the things that's obviously a really big deal to set up Well is packages or even the VPN. So let's just go ahead and open up a new window real quick here And we'll look at like the VPN. So right now no VPN server set up And we'll just do this one real quick through the VPN because the package manager is a little bit more involved So we go over here to open VPN And it's hit restore Are you sure? Yep, firewall may need to be rebooted. I don't think it will be and Just like that we have the VPN set up. So there's the VPN settings For my office and we actually have two VPNs ones for phones ones for actually getting into the network and We keep two separate sets of users and two separate networks forum with a lot of rules So you can see that quickly you can restore settings back from pfSense Well, let's dig a little further. Why not look at the package manager and we're going to use that same one Choose file and we'll choose packages And we'll go ahead and restore configuration data. Are you sure you wish to restore this? Yep Alright may need to be rebooted it actually won't we're gonna go the package manager now This is a little bit stranger because it's going to have broken packages. So now we're gonna go ahead and There's my settings for there and let's do the more complicated one looks look at what happens when we Fix Saracada, so Saracada if you spend a lot of time setting up Saracada or tuning it and suppressing rules and Figuring out which ones are good and which ones are bad it can take some time doing and yes PfSense does in that single backup file do this and what if you wanted to then import that configuration to another one? Well, you can do that too. So let's see what happens here. So pfSense Saracada completely installed All right, we're gonna go over here to services Saracada and Obviously, these are more networks that I have in mind that don't exist on this system But the ones that names matched it was able to set up right away. So we can just go ahead and purge these It's thinking there we go purge the last one and Now I have Saracada all set up and running with the rules how I want them, you know It remembered everything here. It'll have the different options turned on Categories set up flow stream variables, et cetera, et cetera and Away you go that easy to configure and now Saracada is up and running you can say I did this in all real time on this system This is one of the advantages you have with PfSense of being able to do this Now I mentioned the certificates that one's actually a little bit tricky I'm not going to show you the search that I have but I'll show you in the config file how this can be done So we're gonna switch back over to this We'll open with other application And I believe it is under slash cert There we go And we need to find the certificate file There we go And all I had to do and these are the ones not from my main computer These are the ones from here is go through here and you can see this is like the web configuration certificate So as I had to do to get this in here is copy and paste This little piece into the XML file and that allows it to import the certificate again So I just grabbed that out of one XML file though my original config restored the certificates restored a couple things I needed and now I've Custom done the firewall upgrade for my system in This is one of those things that they make it really easy to do in PfSense is to have this grander control And look at this and be able to go alright I just want to change this or change this or move these type of things in here And it's just like no big deal You can move them and away they go and if I want to put this thing completely back to the way It was go back up restore again, and you know we have Sericata We've got other things all set up in here, or we can go back to choose file And we're gonna go back to the downloads folder and here's our generic config This is the new way on this is the generic config that we had in the beginning and we'll just go ahead and restore And it's probably is going to prompt me for a reboot Which it should because it swaps some network information and it's a full restore again By our wall configuration and change now rebooting and we'll go ahead and we'll watch it do the reboot again All right, it's kind of reboot All right, so I booted configured and you notice that we went back to the 196 address not the 197 because it's back to the other Before we swap the WAN, so we'll go here Same thing. It's gonna say hey We successfully, you know update the packages because it was a full thing and we go back over here We see well Sericata is missing everything's back to the way it was You can flip-flop PF sense really quickly back and forth like this to different options To different config files in all you have to do is save just that one XML file to make this work Now the last thing I'll comment on that I've actually worked with a client that was really impressed the way they did this was They went through and had put in a whole lot of VLANs and the way they did it because I couldn't believe how many they Created it for a very large complicated Project well see large complicated. I mean they simplified it by scripting at all They wanted to build I think it was a 120 VLANs or some larger number based on an apartment complex where they wanted to separate Everyone into their own VLAN and instead of going through and manually creating all the networks they actually created just a couple of them looked at the XML file and then Took the XML file repeated that information and combining things as needed with a series of scripts and then put it back up there and Created all the different networks and I thought this was a rather clever way to do this So you can look at the differential changes and like I said, it's all XML So it's easy to read and make those changes Programmatically and then re-uploaded to PF sense to have this done. It was an interesting project I was helping them with a couple aspects of it, but they figured out the programming without me But it's not too difficult. I'm just I'm not a coder So I didn't write it, but it was pretty cool the way they did that because well, it's not too difficult You look at it and go these are the settings that need to be added to the XML file And then we just increment them all by one so to speak Which included a separate DHCP server each one a separate, you know VLAN ID in a separate network Well one physical card it's attached to but then separating out all the VLANs on the one physical and Feeding off all these different places to supply internet to them So it's really flexible being able to do that with the backup file It's really something I think people get more scared of when they've had weird problems of PF sense Or when you're in my situation Searching from a custom build to a netgate box There are different things that you may run into that just don't work Including when you have a bunch of tunables you can probably go through and say just remove all those And I probably could have made all the changes to align it properly to go to a completely different platform Because if you're not familiar and we'll pull it up real quick here the SG-5100 Does not have anything more than a serial type counsel X connection Well, it's actually USB, but because of that You can't just go in and us It wanted to output things to VGA So that was the first challenge to run into of because I had custom loaded it it had issues Trying to output for the video So there was the first challenge I would have had to fix but because I just needed really the rules and the VPNs and the certificates for my old System it really wasn't that much more. It seemed like less time to me Just pull in those things and then pop in the package manager So Saracada and my radius server and all the users that are in radius server were set up That was the quick change. I did that then you modify Very little and now I've got a completely working SG-5100 now like I said about having a spare Somebody and someone's gonna ask me why I don't just put it in HA and the reason for HA is because we only have a five block of IPs On the WAN so if you're familiar or watch my HA video You'll know you kind of have to I call it wasting IP addresses because you have to assign IP address to each one Just not that big of a deal for us. We just have the backup file Anytime we make a change our processes to put the backup file in the proper backup folder that me or my other technicians have access to So when you plug one of these in Clean boot make sure it's up to date with the same version of ours, which we always keep ours on the latest version of PF cents you quickly restore it and When it's time for it to reboot it plug it in the same network ports as ours And it's just gonna work when you're going from the same model to the same model This is really great And we do this for our clients matter of fact because we always when we change things on a client We keep a copy of their backup file and because we stock many of the ones that we have installed at our clients When if the chance that there's a failure of a device We have the backup file and we bring the firewall with us in case that's what the problem is when we have to go on site If something becomes completely non-functional and it's as easy as just pop that backup file in and as fast as you seen in here Especially with a reasonably fast box You're talking you have the client back up and restored the settings are applied It's exactly like just where you left off the most important thing to do and there is a rescue option in PF sense for those of you that don't do it and yes I've had a few tech friends have had to help with this If you don't back up that file and somehow you crash your PF sense or lock yourself out of it through some misfortune or oops clickings It does have the ability to rescue because it's all saved in that one XML file and that's the last thing I'm gonna show you real quick just ways to edit that so if you have SSH installed and set up on PF sense, which is I'll show you real quick system advanced Enable secure shell I have it on port 222 and then for this purposes because I'm actually Administrating a firewall through the WAN interface. I do have a rule right here that allows SSH remote access to it Right here port 222 just to match back over here SSH in and we go to whoops CD slash CF Conf and there is the XML file in here, so we go to VIM config.xml Whoops by I want to type VIM But there's that same file as it lives right here on the server and this is where if you wanted to Don't edit it from here that you edit it differently from there But if you wanted to get that file, this is the Location of it CF slash Conf and then it's the Conf that XML file So if you've crashed the machine, but then boot it up and want to pull the drive out and get this file Right there's where you get that now the last little piece I'll show you right from the documentation in PF sense the PFense XML configuration file So it says the same thing I said here's the config file. Here's where it's located, etc This is the kind of cool part that I like so for Administrating for those who are familiar with the vi editor Use the vi config command to edit the running configuration live and after saving quitting editor firewall remove the cache Configuration and then changes will be visible in the GUI The changes will not be active until that service relevant to the edited portion of the config as we started So let's show you that right here So log in again Get a shell and instead of typing vi and then going and finding the file you can actually just type vi config right from the command line and then we're going to go and Look at the firewall and right here's a dark stat. So it's on port 666 We can do a quick find actually for this 666. I think it's the only time it occurs it is So right there's the description dark stat data web and port 666. Let's just change that to a seven WQ the magic incantation to exit vi and save And we're refresh And you'll see it's now changed it But please note until you actually and I'm just going to move it arbitrarily as a rule hit apply Until you apply and reload the rule set it or reboot the firewall either one of those the relevant section has not been loaded So it may display that but it actually hasn't applied the changes and the UI Because you're making the changes within here Realizes there's a change and asks it to be applied And then sometimes you'll have to either restart a service or do something like I just there or like I said Just reboot the firewall So it's just important to remember if you do want to edit or have some custom thing you'd like to do from the command line If you make changes in here of anything you have to then reload that relevant service But at least they've made it really convenient to be able to go in here Right from the command line without any extra tools ssh in and start making changes to the system If you have some custom thing you want changed or you've now goofed something that has locked you out of the UI But you still have ssh access or council access to be able to go right in and do this Because that's certainly something people have done is accidentally disable rules and lock themselves out of it on many occasions But some of the quicker ways you can also do that too and I'll point out Is if you go to restore recent configuration option 15 it can list The backups and list the changes that you made for example when you lock yourself out and you want to Like we just reordered the firewall rule. You can actually just restore a backup choose one of the options and Roll it back one or two feet one or two options back to unlock yourself back up from the command line as well Control c and exit that But I'll leave links to documentation. I just want to show that it's relatively Harmless to configure this for you there provided you know what you're doing edit the xml file Change it. We've got a lot of confidence in doing this because we've done it so many times And restored things. It's also handy if you spent a lot of time configuring something Let's say seracotta and you just wanted to import that configuration into another firewall for all the time you spent You know custom tuning or setting up settings in there You can see it's a lot quicker than going through and setting it up manually each time And if you want to change anything even custom in that that package config information is still located in xml file So you can make all the changes you want in there Provided they're proper and not goofed up and then re import it in there And pfsense does have a sanity check to make sure that you haven't broke the xml file in some unusual way It won't let you load a broken file. It does say hey this file's got a problem with it And then you can start over. All right, and thanks And thank you for making it to the end of the video If you like this video, please give it a thumbs up If you'd like to see more content from the channel hit the subscribe button and hit the bell icon If you like youtube to notify you when new videos come out If you'd like to hire us head over to laurancesystems.com fill out our contact page And let us know what we can help you with and what projects you'd like us to work together on If you want to carry on the discussion head over to forums.laurancesystems.com Where we can carry on the discussion about this video other videos or other tech topics in general even suggestions for new videos They're accepted right there on our forums, which are free Also, if you like to help the channel out in other ways head over to our affiliate page We have a lot of great tech offers for you. And once again, thanks for watching and see you next time