pfSense Audit and Backup

1. Overview

This runbook captures the complete pfSense configuration state before migrating to VyOS. The backup enables instant rollback if issues occur during migration.

1.1. Prerequisites

  • SSH access to pfSense (via Vault SSH CA or direct)

  • Access to pfSense WebUI for config export

  • NAS share mounted for backup storage

2. Phase 1: Export XML Configuration

2.1. 1.1 WebUI Export

  1. Login to pfSense: pfsense-01.inside.domusdigitalis.dev

  2. Navigate to: Diagnostics → Backup & Restore

  3. Select: All areas

  4. Click: Download configuration as XML

  5. Save as: pfsense-backup-YYYYMMDD.xml

2.2. 1.2 Copy to NAS

# From workstation after downloading
scp ~/Downloads/pfsense-backup-*.xml nas-01:/volume1/firewall_backups/

2.3. 1.3 Verify Backup

ssh nas-01 "ls -la /volume1/firewall_backups/pfsense-backup-*.xml"

3. Phase 2: Document Firewall Rules

# SSH to pfSense and export rules
ssh pfsense-01 "pfctl -sr" > /tmp/pfsense-firewall-rules.txt

TODO: Add pfSense CLI commands for rule export

4. Phase 3: Document NAT Rules

TODO: Add NAT export commands

5. Phase 4: Document DHCP Leases

TODO: Add DHCP export commands

6. Phase 5: Document DNS Configuration

TODO: Add DNS export commands

7. Phase 6: Document VPN Configuration

TODO: Add VPN export commands (if applicable)

8. Phase 7: Verify Backup Integrity

# Verify XML is valid
xmllint --noout /path/to/pfsense-backup-*.xml && echo "XML valid"

# Check file size (should be > 10KB typically)
ls -lh /path/to/pfsense-backup-*.xml

9. Rollback Procedure

If VyOS migration fails and you need to restore pfSense:

  1. Power on pfSense VM: sudo virsh start pfSense-FW01

  2. Login to WebUI

  3. Navigate to: Diagnostics → Backup & Restore

  4. Browse to backup XML file

  5. Click: Restore Configuration

  6. Reboot when prompted

10. Related