Here is how you start. Make sure you have an up-to-date backup of your PFSENSE Config. I know you backup before every time you do an upgrade right… ;)
We want to make the following modifications to the config.xml file.
<lagg>
<members>igb0,igb1,igb2,igb3</members>
<descr></descr>
<laggif>lagg0</laggif>
<proto>lacp</proto>
to this below
<lagg>
<members>igb0,igb1</members>
<descr></descr>
<laggif>lagg0</laggif>
<proto>lacp</proto>
Save your modified config.xml to a thumb drive. The drive should be formatted for fat32.
You will also want to make sure you have your network documentted. It's good practice but you will need to re-assign the interfaces because of the LAGG modifications.
Here is an example of the network documentation required.
WAN -> LAGG0.40 -> v4: 1.1.1.250/24
LAN -> LAGG0.30 -> v4: 1.1.2.250/24
opt1 -> LAGG0.50 -> v4: 1.1.5.250/24
opt2 -> LAGG0.60 -> v4: 1.1.6.250/24
so on and so forth.
If you are using OpenVPN you shouldn't need to define that, and you should also not be defining the actual physical interfaces such as igb0, igb1.
I’ve found the easiest way to do the restore is to reinstall pfsense. Once you've either login to the web interface and re-upload the config or put the config in after the install using the console. This procedure is going to use the console.
After install reinstall of PFSense is complete boot off drive.
 |
| Clean PFSENSE Installation |
 |
| USB Drive is da0 |
Plugin your usb drive, make note of the drive
In this case DA0; since it’s fat32 we want partition 1 which is S1 and we mount the drive with the following command
Mount -v -t msdosfs -o large /dev/da0s1 /mnt
cd to the /mnt directory and copy the file in this case config-FW2.xml to the /conf folder
 |
| Mount the USB Drive with the modified config file |
Copy the config file from the mounted drive to the /conf directory. You could do a complete over write of the config but I am much more cautious. I like to make a backup of the default config first then copy over.
cp /conf/config.xml /conf/config_bak.xml
cp /mnt/config-FW2.xml /conf/config.xml
Change the permissions of the newly copied config.xml to 644
chmod 644 /conf/config.xml
Reboot.
At this point you can reconnect your network connections to the LAGG and CARP interfaces. This will just take a few minutes to boot up and mostly fix our network interfaces.
Now we want to reassign our interfaces as they are slightly messed up. Note the igb0 and igb1.
 |
| Fix your interfaces igb0 and igb1 are lagged and should not be assigned. |
Fix your interfaces igb0 and igb1 are lagged and should not be assigned. To do this you will want to reassign your interfaces, but DO NOT modify the VLANs, to do that press 1 on the PFSENSE console menu. I know you have your networks documented right… ;)
Again, here is an example of the network documentation required.
WAN -> LAGG0.40 -> v4: 1.1.1.250/24
LAN -> LAGG0.30 -> v4: 1.1.2.250/24
opt1 -> LAGG0.50 -> v4: 1.1.5.250/24
opt2 -> LAGG0.60 -> v4: 1.1.6.250/24
 |
| Reassigned network interfaces. |
Once done, reboot your pfsense system, you may get something about removing igb because of an IPV6 conflict. You can ignore this press control c to escape.
IT make take a few minutes for pfsense to get it’s networks sorted out. If nothing on your switches have changed, you will be able to login to the web interface you can put the firewall back into production. The whole process should take no more then 10 to 20 minutes. Once you've accessed the web interface you will need to re-install any 3rd party extra's you may have installed such as the openvpn-client-export and the FTP_Client_Proxy. Upon plugging the fixed firewall back into place, I had no issues or internet hiccups from the system coming back online. CARP was just as responsive as ever and failover worked flawlessly on the reconfigured lagg.
