Netgate SG-1000 microFirewall

Author Topic: Backup/Recovery Feeback  (Read 2160 times)

0 Members and 1 Guest are viewing this topic.

jbhowlesr

  • Guest
Backup/Recovery Feeback
« on: March 22, 2016, 07:48:03 pm »
Dear developers. I wish to submit a suggestion to you concerning a new backup recovery option for pfsense. Please note that I am basing this suggestion on recent experience with your product. I used to keep my home built pfsense box in my server cabinet but recently I purchased a new home and due to space available in my home, I have to co-locate my pfsense box and my sever cabinet in separate rooms.

Anyhow, I love pfsense till I break it ( I tinker a lot ) and have to reinstall it which is easy. The problem is, I gotta grab a monitor and keyboard and take them to hook up to my box to reinstall or recover the box. So in doing so, I find myself wishing I had an alternative means to recover the unit. What I wish it had was a secondary failover interface assigned to a different static IP address on the same subnet. This system can be minimized to reduce resource usage and give the primary ability to keep the internet going in event of primary interface crash and means to apply a recovery image to the primary system.

I think that what I am suggesting would work great on my current pfsense build which I assembled from left over parts from a PC upgrade I did for a friend. Below I have attached some system info for my box.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9811
  • Karma: +1107/-311
    • View Profile
Re: Backup/Recovery Feeback
« Reply #1 on: March 22, 2016, 07:54:00 pm »
You are free to take an extra, physical interface, configure it with an admin IP address and put permissive rules on it so you can always ssh and webgui in then unplug from it and never use it or add rules to it or mess with it in any way.

Then after you "break" pfSense, you could just connect to it, ssh or web in, and do what you need to do.

Not sure what you're talking about with "keep the internet going." Maybe I'm misunderstanding your entire suggestion.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline BBcan177

  • Hero Member
  • *****
  • Posts: 2608
  • Karma: +821/-5
    • View Profile
    • Click for Support
Re: Backup/Recovery Feeback
« Reply #2 on: March 22, 2016, 08:09:52 pm »
When "playing", I usually open an SSH session to the pfSense box before making any changes and keep it open since any crash of the box typically doesn't kill the existing open SSH connection.

You can also:

Copy the config to a backup from the shell:
  cp /conf/config.xml /conf/config.xml-03-22-16

and if you need to revert a change and reload the backup config:
  cp /conf/config.xml-03-22-16 /conf/config.xml
  rm /tmp/config.cache


Sometimes you can open a second shell, so that you always have one available. This way you can hit "exit" and be able to use options "11" and "16". Just need to have these SSH connections open before your "playing" around...

"Experience is something you don't get until just after you need it."

 | http://pfblockerng.com | Twitter @BBcan177  | #pfBlockerNG |

jbhowlesr

  • Guest
Re: Backup/Recovery Feeback
« Reply #3 on: March 22, 2016, 08:12:46 pm »
You are free to take an extra, physical interface, configure it with an admin IP address and put permissive rules on it so you can always ssh and webgui in then unplug from it and never use it or add rules to it or mess with it in any way.

Then after you "break" pfSense, you could just connect to it, ssh or web in, and do what you need to do.

Not sure what you're talking about with "keep the internet going." Maybe I'm misunderstanding your entire suggestion.


WOW, talk down to people much? Your reply was not helpful at all. It was as if you said, " take your suggestion and bugger off" without saying it.

jbhowlesr

  • Guest
Re: Backup/Recovery Feeback
« Reply #4 on: March 22, 2016, 08:17:02 pm »
When "playing", I usually open an SSH session to the pfSense box before making any changes and keep it open since any crash of the box typically doesn't kill the existing open SSH connection.

You can also:

Copy the config to a backup from the shell:
  cp /conf/config.xml /conf/config.xml-03-22-16

and if you need to revert a change and reload the backup config:
  cp /conf/config.xml-03-22-16 /conf/config.xml
  rm /tmp/config.cache


Sometimes you can open a second shell, so that you always have one available. This way you can hit "exit" and be able to use options "11" and "16". Just need to have these SSH connections open before your "playing" around...


I'm considering some other alternatives. Prior to buying this house, I kept my server rack in a spare bedroom where my internet connection was. Now in this house, it is a 2 story and the smart panel is in the laundry room which is upstairs and unfortunately, it doesn't make since to park my cabinet in there. So, I mounted a small rack shelf in there to put my modem, switch and pfsence box on and my server in in the spare bedroom down stairs. Unfortunately, I have no monitor or keyboard connected to my pfsense anymore; nor is it feasible to do so.

Offline BBcan177

  • Hero Member
  • *****
  • Posts: 2608
  • Karma: +821/-5
    • View Profile
    • Click for Support
Re: Backup/Recovery Feeback
« Reply #5 on: March 22, 2016, 08:19:24 pm »
Unfortunately, I have no monitor or keyboard connected to my pfsense anymore; nor is it feasible to do so.

Last time I checked, SSH doesn't need the your remote device to have a keyboard or mouse :) Take a look at putty as an SSH software...
"Experience is something you don't get until just after you need it."

 | http://pfblockerng.com | Twitter @BBcan177  | #pfBlockerNG |

jbhowlesr

  • Guest
Re: Backup/Recovery Feeback
« Reply #6 on: March 22, 2016, 08:22:13 pm »
is there any type of standalone monitor/keyboard to IP dongle available cheaply? It would be nice to be able to access the console via my desktop over my network.

Offline BBcan177

  • Hero Member
  • *****
  • Posts: 2608
  • Karma: +821/-5
    • View Profile
    • Click for Support
Re: Backup/Recovery Feeback
« Reply #7 on: March 22, 2016, 08:23:31 pm »
is there any type of standalone monitor/keyboard to IP dongle available cheaply? It would be nice to be able to access the console via my desktop over my network.

https://en.wikipedia.org/wiki/KVM_switch
"Experience is something you don't get until just after you need it."

 | http://pfblockerng.com | Twitter @BBcan177  | #pfBlockerNG |

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9811
  • Karma: +1107/-311
    • View Profile
Re: Backup/Recovery Feeback
« Reply #8 on: March 22, 2016, 09:15:38 pm »
You are free to take an extra, physical interface, configure it with an admin IP address and put permissive rules on it so you can always ssh and webgui in then unplug from it and never use it or add rules to it or mess with it in any way.

Then after you "break" pfSense, you could just connect to it, ssh or web in, and do what you need to do.

Not sure what you're talking about with "keep the internet going." Maybe I'm misunderstanding your entire suggestion.


WOW, talk down to people much? Your reply was not helpful at all. It was as if you said, " take your suggestion and bugger off" without saying it.

It accomplishes every one of your goals, dude. And all with no extra code (for your specific circumstance and your specific hardware, I might add.) And you can get another NIC for probably $2 if you try hard.

You need to lighten up.

To maintain a network device you need web, telnet/ssh, or serial access. This solution accomplishes two out of three because serial access to the computer console requires specialized hardware.

Serial access to the console already exists on hardware that supports it.

This is a solved problem. No need for any new features. Doesn't meet your needs, tinker away.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9811
  • Karma: +1107/-311
    • View Profile
Re: Backup/Recovery Feeback
« Reply #9 on: March 22, 2016, 09:20:42 pm »
Quote
is there any type of standalone monitor/keyboard to IP dongle available cheaply? It would be nice to be able to access the console via my desktop over my network.
Hardware to do that already exists. No need for a new pfSense feature to solve your specific problem.

Buy a device with a remote management processor and you can console in and control power and do anything you want.

You can probably get an external device that listens on VNC and presents your session as monitor and keyboard to your hardware.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline chpalmer

  • Hero Member
  • *****
  • Posts: 1792
  • Karma: +93/-3
    • View Profile
    • Home of Cablenut
Re: Backup/Recovery Feeback
« Reply #10 on: March 22, 2016, 10:00:38 pm »

Quote
You need to lighten up.

+1

I always keep an extra interface installed and configured just in case.  Then add a wireless access point to it if you don't want to wire it to your desk.  Not rocket science.
P.S. statements made by me are not necessarily condoned by the management of this fine organization.  http://badmodems.com

jbhowlesr

  • Guest
Re: Backup/Recovery Feeback
« Reply #11 on: March 23, 2016, 06:17:37 am »
You are free to take an extra, physical interface, configure it with an admin IP address and put permissive rules on it so you can always ssh and webgui in then unplug from it and never use it or add rules to it or mess with it in any way.

Then after you "break" pfSense, you could just connect to it, ssh or web in, and do what you need to do.

Not sure what you're talking about with "keep the internet going." Maybe I'm misunderstanding your entire suggestion.


WOW, talk down to people much? Your reply was not helpful at all. It was as if you said, " take your suggestion and bugger off" without saying it.

It accomplishes every one of your goals, dude. And all with no extra code (for your specific circumstance and your specific hardware, I might add.) And you can get another NIC for probably $2 if you try hard.

You need to lighten up.

To maintain a network device you need web, telnet/ssh, or serial access. This solution accomplishes two out of three because serial access to the computer console requires specialized hardware.

Serial access to the console already exists on hardware that supports it.

This is a solved problem. No need for any new features. Doesn't meet your needs, tinker away.


Listen, i get what you are saying and even though your words come across very brash and aggressive, i remain calm and patient. I think though that you clearly dont understand what i am looking to do. First off, i have no experience using SSH, telnet etc. Second, i looking for a solution that in the event I'm out of town, my wife can easily pick up and go with if the box goes down. The things you suggest, while not resembling rocket science to you, are overly challenging to someone with no experience using. Clearly you assume more of me than you need to.

So, let me repeat, there is two interfaces of pfsense that i wish to only use: the console and the web configurator. What I am asking for is a backup web configurator that can be used to fix the main in the event of outage; nothing more, nothing less.

My apologies Derelict if my skill set doesn't match up to yours. What i am seeking is something that is within my skill set; a common since feature. I'm not looking to learn something i will use once in a great while.

Offline maverick_slo

  • Hero Member
  • *****
  • Posts: 829
  • Karma: +40/-3
    • View Profile
Re: Backup/Recovery Feeback
« Reply #12 on: March 23, 2016, 06:35:39 am »
Clone a hdd and in event of failure your wife can switch it :)
Easiest way probably :)

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9811
  • Karma: +1107/-311
    • View Profile
Re: Backup/Recovery Feeback
« Reply #13 on: March 23, 2016, 10:51:27 am »
We would all love a way for our wives to recover from a router failure while we're out of town, dude. Wow.

A solution exists. It's called High Availability Failover/CARP/pfsync.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline maverick_slo

  • Hero Member
  • *****
  • Posts: 829
  • Karma: +40/-3
    • View Profile
Re: Backup/Recovery Feeback
« Reply #14 on: March 23, 2016, 12:22:46 pm »
Lol.
But my solution works you know...
Tested :)

Offline chpalmer

  • Hero Member
  • *****
  • Posts: 1792
  • Karma: +93/-3
    • View Profile
    • Home of Cablenut
Re: Backup/Recovery Feeback
« Reply #15 on: March 23, 2016, 12:58:49 pm »
Lol.
But my solution works you know...
Tested :)

Truthfully the only way I see my firewall having problems while Im out of town is a hardware failure. Since my wife nor any of our kids will probably not be trying be configuring the firewall in my absence.    ;D

Your solution seems the most logical.   

But in any event.  jbhowlesr -  download putty and learn it while you have a chance.

https://www.youtube.com/watch?v=krNuKDGEjvQ
 
« Last Edit: March 23, 2016, 01:05:54 pm by chpalmer »
P.S. statements made by me are not necessarily condoned by the management of this fine organization.  http://badmodems.com