pfSense Disaster Recovery
Some Background
The reason I am having to do this disaster recovery dates back a couple of months. I switched out the Lan network interface on my firewall and in the process of moving the interfaces from one card to the other pfSense crashed. And in this crash it caused an issue with the package manager which i managed to fix but i didn't think about any other parts of the os that could have broken at the same time. So in applying the latest 2.6 version of pfSense CE this broke the firewall completely it would boot and you can get to the shell but no firewall features would load so here we go to Disaster recovery.
The Recovery
Ok so i broke the cardinal rule of upgrading Backup! So this guide will assume you can get into the shell onto the device, Retrieving the config and then setting up a USB stick to reinstall and put that config back onto the firewall. If you have a backup config congratulations you where wiser than I was and can proceed directly to restoration.
Retrieving the config from the firewall
1st step is to get a usb flash drive and create an 8GB partition with a FAT fs. Once you have this plug it into your firewall then plug a Monitor, KB and mouse. On the pfSense initial screen select 8 to get into the shell. Then type the below commands.
mkdir /tmp/usb
This creates a directory to mount your drive to.
mount_msdosfs /dev/da0s1 /tmp/usb
This mounts the drive to the location you just created
cp -a /conf/. /tmp/usb/backup
This copies your current config file as well as your incremental backups and a few other bits but it's easier to just copy the folder.
umount /tmp/usb
Unmounts the usb drive so you can remove it.
Congratulations you now have your config file all should now proceed smoothly.
Preparing the installation media
Now there is a config retrieval tool in the pfSense installer however I believe this is mostly for corrupted drives as it scans and fixes the drive to retrieve the config. I'm sure most people will know how to make a usb boot drive using Balena Etcher but i'm going to go through it anyway.
Download and install Balena Etcher from here
Once done go to the pfSense website and select the OS type and closest location to you. This will bring up a page that looks like the below.
Make sure to select an option that has memstick in my case i downloaded pfSense-CE-memstick-2.6.0-RELEASE-amd64.img.gz . This is very important as the memstick img has a FAT partition that we will use later.
Now open Balena Etcher select your image you downloaded the flash drive and then flash.
Once the image is complete you should have a drive called PFSENSE. You need to create a folder called “conf” and in that folder place your config.xml
Now your flash drive is ready.
Reinstalling pfSense
This part is fairly simple as part of the installation routine, the installer checks for an existing configuration on a USB drive formatted as FAT or FAT32. If the installer can locate and read a configuration file, it copies the file to the target disk.
Install the OS as you would normally however do not remove the USB media till after the system has rebooted. Now when the system boots your config should be loaded and you wont have to go through 1st time setup. Only thing I would warn is if you have packages installed check they have now re-installed as I had one missing but it was easy enough to re-download through the package manager.
Afterthoughts
While this was necessary for me I also took this opportunity to take advantage of some of the new pfSense features that have come along since my initial install. For instance my mobo does not have RAID but now the OS supports ZFS so I took the opportunity to mirror my boot drive to hopefully prevent a future failure. As of 2.6 Netgate are also offering the opportunity to upgrade to Plus from CE with a free Home/Lab license. I am taking advantage of this. Also to prevent loss i am now using the Auto configuration backup feature so I won't have to do a deep dive to retrieve my config should my system go down in future.