Restoring from Backups

Backups are not useful without a means to restore them, and by extension, test them. pfSense offers several means for restoring configurations. Some are more involved than others, but each will have the same end result: a running system identical to when the backup was made.

Restoring with the WebGUI

The easiest way for most users to restore a configuration is by using the WebGUI:

  • Navigate to Diagnostics > Backup & Restore
  • Locate the Restore configuration section (Figure WebGUI Restore).
  • Select the area to restore (typically ALL )
  • Click Browse
  • Locate the backup file on the local PC
  • Click Restore Configuration

The configuration will be applied, and the firewall will reboot with the settings obtained from the backup file.

../_images/backup-restore.png

WebGUI Restore

While easy to work with, this method does have some prerequisites when dealing with a full restore to a new system. First, it would need to be done after the new target system is fully installed and running. Second, it requires an additional PC connected to a working network or crossover cable behind the pfSense firewall being restored.

Restoring from the Config History

For minor problems, using one of the internal backups on the pfSense firewall is the easiest way to back out a change. On full installations, the previous 30 configurations are stored in the Configuration History, along with the current running configuration. On NanoBSD, 5 configurations are stored. Each row shows the date that the configuration file was made, the configuration version, the user and IP address of a person making a change in the GUI, the page that made the change, and in some cases, a brief description of the change that was made. The action buttons to the right of each row will show a description of what they do when the mouse pointer is hovered over the button.

To restore a configuration from the history:

  • Navigate to Diagnostics > Backup & Restore
  • Click the Config History tab (Figure Configuration History).
  • Locate the desired backup in the list
  • Click fa-undo to restore that configuration file
../_images/backup-confighistory.png

Configuration History

The configuration will be restored, but a reboot is not automatic where required. Minor changes do not require a reboot, though reverting some major changes will.

If a change was only made in one specific section, such as firewall rules, trigger a refresh in that area of the GUI to enable the changes. For firewall rules, a filter reload would be sufficient. For OpenVPN, editing and saving the VPN instance would be enough. The necessary actions to take depend on what changed in the config, but the best way ensure that the full configuration is active would be a reboot. If necessary, reboot the firewall with the new configuration by going to Diagnostics > Reboot System and click Yes.

Previously saved configurations may be deleted by clicking fa-trash, but do not delete them by hand to save space; the old configuration backups are automatically deleted when new ones are created. It is desirable to remove a backup from a known-bad configuration change to ensure that it is not accidentally restored.

A copy of the previous configuration may be downloaded by clicking fa-download.

Config History Settings

The amount of backups stored in the configuration history may be changed if needed.

  • Navigate to Diagnostics > Backup & Restore
  • Click the Config History tab
  • Click fa-plus-circle at the right end of the Saved Configurations bar to expand the settings.
  • Enter the new number of configurations to retain
  • Click Save

Along with the configuration count, the amount of space consumed by the current backups is also displayed.

Config History Diff

The differences between any two configuration files may be viewed in the Config History tab. To the left of the configuration file list there are two columns of radio buttons. Use the leftmost column to select the older of the two configuration files, and then use the right column to select the newer of the two files. Once both files have been selected, click Diff at either the top or bottom of the column.

Console Configuration History

The configuration history is also available from the console menu as option 15, Restore Recent Configuration. The menu selection will list recent configuration files and allow them to be restored. This is useful if a recent change has locked administrators out of the GUI or taken the system off the network.

Restoring by Mounting the Disk

This method is popular with embedded users. When the CF or disk from the pfSense firewall is attached to a computer running FreeBSD, the drive may be mounted and a new configuration may be copied directly onto the installed system, or a config from a failed system may be copied off.

Note

This can also be performed on a separate pfSense firewall in place of a computer running FreeBSD, but do not use an active production firewall for this purpose. Instead, use a spare or test firewall.

The config.xml file is kept in /cf/conf/ for both NanoBSD and full installs, but the difference is in the location where this directory resides. For NanoBSD installs, this is on a separate slice, such as ad0s3 if the drive is ad0. Thanks to GEOM (modular storage framework) labels on recent versions of FreeBSD and in use on NanoBSD-based embedded filesystems, this slice may also be accessed regardless of the device name by using the label /dev/ufs/cf. For full installs, it is part of the root slice (typically ad0s1a). The drive names will vary depending on type and position in the system.

NanoBSD Example

First, connect the CF to a USB card reader on a FreeBSD system or another inactive pfSense system (see the note in the previous section). For most, it will show up as da0. Console messages will also be printed reflecting the device name, and the newly available GEOM labels.

Now mount the config partition:

# mount -t ufs /def/ufs/cf /mnt

If for some reason the GEOM labels are not usable, use the device directly such as /dev/da0s3.

Now, copy a config onto the card:

# cp /usr/backups/pfSense/config-alix.example.com-20090606185703.xml \
      /mnt/conf/config.xml

Then be sure to unmount the config partition:

# umount /mnt

Unplug the card, reinsert it into the firewall, and turn it on again. The firewall will now be running with the previous configuration.

To copy the configuration from the card, the process is the same but the arguments to the cp command are reversed.