pfSense Decommission

1. Overview

This runbook decommissions the pfSense firewall after the VyOS HA cluster has been validated and running stably. Execute ONLY after completing all VyOS migration milestones.

DO NOT execute this runbook until:

VyOS HA has been running for at least 7 days
All services verified working through VyOS
VRRP failover tested multiple times
Team is confident in VyOS operations

2. Phase 1: Pre-Decommission Checklist

2.1. 1.1 Validation Checklist

Complete ALL items before proceeding:

Check	Description	Status
[ ]	VyOS HA stable for 7+ days
[ ]	VRRP failover tested (both directions)
[ ]	All VLANs routing correctly
[ ]	Internet access working for all zones
[ ]	DHCP leases being issued
[ ]	DNS forwarding working
[ ]	Suricata IDS logging
[ ]	Wazuh agent reporting
[ ]	node_exporter metrics available
[ ]	API access working
[ ]	Git config tracking active
[ ]	Team trained on VyOS operations

Check

Description

Status

[ ]

VyOS HA stable for 7+ days

[ ]

VRRP failover tested (both directions)

[ ]

All VLANs routing correctly

[ ]

Internet access working for all zones

[ ]

DHCP leases being issued

[ ]

DNS forwarding working

[ ]

Suricata IDS logging

[ ]

Wazuh agent reporting

[ ]

node_exporter metrics available

[ ]

API access working

[ ]

Git config tracking active

[ ]

Team trained on VyOS operations

2.2. 1.2 Verify No pfSense Dependencies

# Check nothing is using pfSense IP
ping -c1 10.50.1.1  # Should respond from VyOS VIP, not pfSense

# Verify VyOS is handling traffic
ssh vyos-01 "show vrrp"
# Should show vyos-01 as MASTER

# Check active sessions through VyOS
ssh vyos-01 "show nat translations"

3. Phase 2: Final pfSense Backup

3.1. 2.1 Export Final Configuration

Login to pfSense WebUI
Diagnostics → Backup & Restore
Download configuration as XML
Name: pfsense-FINAL-DECOMMISSION-YYYYMMDD.xml

3.2. 2.2 Archive to NAS

# Create archive directory
ssh nas-01 "mkdir -p /volume1/firewall_backups/pfsense-archived"

# Move final backup
scp pfsense-FINAL-DECOMMISSION-*.xml nas-01:/volume1/firewall_backups/pfsense-archived/

4. Phase 3: Document Lessons Learned

TODO: Add lessons learned template

Document the following:

What went well during migration
Issues encountered and solutions
Configuration differences between pfSense and VyOS
Time taken for each phase
Recommendations for similar migrations

5. Phase 4: Stop pfSense VM

5.1. 4.1 Graceful Shutdown

# SSH to kvm-01
ssh kvm-01

# Check pfSense VM state
sudo virsh list --all | grep -i pfsense

# Shutdown gracefully
sudo virsh shutdown pfSense-FW01

# Verify stopped
sudo virsh list --all | grep -i pfsense
# Should show "shut off"

5.2. 4.2 Monitor for Issues

Wait 24-48 hours after stopping pfSense. Monitor for any issues that might require rollback.

# Verify VyOS still handling all traffic
ssh vyos-01 "show vrrp"
ssh vyos-01 "show firewall statistics"

6. Phase 5: Archive VM Files

6.1. 5.1 Export VM Definition

# On kvm-01
sudo virsh dumpxml pfSense-FW01 > /tmp/pfSense-FW01-definition.xml

6.2. 5.2 Archive Disk Image

# Move to archive (not delete)
sudo mv /mnt/onboard-ssd/libvirt/images/pfSense-FW01.qcow2 /mnt/onboard-ssd/libvirt/archive/
sudo mv /tmp/pfSense-FW01-definition.xml /mnt/onboard-ssd/libvirt/archive/

6.3. 5.3 Copy to NAS

# Archive to NAS for cold storage
scp /mnt/onboard-ssd/libvirt/archive/pfSense-* nas-01:/volume1/firewall_backups/pfsense-archived/

7. Phase 6: Clean Up Resources

7.1. 6.1 Undefine VM

# Remove from libvirt (files already moved)
sudo virsh undefine pfSense-FW01

7.2. 6.2 Reclaim Resources

Document freed resources:

CPU cores: _
RAM: _
Disk space: _

8. Phase 7: Update Documentation

8.1. 7.1 Documentation Updates Required

Update infrastructure diagrams (remove pfSense)
Update ip-addressing.adoc (note pfSense decommissioned)
Update backup-strategy.adoc (remove pfSense backups)
Archive pfSense-related runbooks or mark deprecated
Update monitoring dashboards

8.2. 7.2 DNS Cleanup

Decide whether to remove pfSense DNS records:

# Option: Keep records pointing to VIP (VyOS now answers)
# No action needed - vyos VIP is 10.50.1.1

# Option: Remove pfSense-specific records
# Edit bind-01 zone files if pfSense-01/pfSense-02 records exist

9. Rollback (Emergency)

If critical issues discovered after stopping pfSense:

# On kvm-01 - restore from archive
sudo cp /mnt/onboard-ssd/libvirt/archive/pfSense-FW01.qcow2 /mnt/onboard-ssd/libvirt/images/
sudo virsh define /mnt/onboard-ssd/libvirt/archive/pfSense-FW01-definition.xml
sudo virsh start pfSense-FW01

# Update client gateways to point to pfSense if needed
# (VyOS should still work alongside pfSense temporarily)