My Experience Migrating from NethSecurity 7 to 8

NethSecurity
,
1

Hi everyone,

I just wanted to share my experience migrating three firewalls (2 boxes and 1 physical server) from NethSecurity 7 to 8.

The fact that I could boot from a USB drive gave me peace of mind during the process, knowing I could easily disconnect it and revert to the previous setup if needed. This made me feel much more comfortable proceeding with the upgrade.

For a migration, it was surprisingly painless. However, there are a few things to double-check afterward, which I’d like to share with you.

Once I downloaded the image from the old NethSecurity 7 using the migration tool and wrote it to a USB drive, 80% of the migration was already done on all three devices.

Here are a few things to double-check:

  • IPsec VPNs:
    If you have any active IPsec VPNs, make sure the route specifying the interface for the VPN was migrated correctly. I had some issues with the tunnel going up, but I reported the bug so it will likely be fixed soon.
    If it isn’t created automatically, create it yourself.
    Here’s an example of the route needed:

Screenshot 2024-09-13 145038
Screenshot 2024-09-13 1450381554×127 9.79 KB

  • 2FA:
    You’ll need to set up 2FA again to get a new QR code for UI login.
    Be careful when enabling LUCI, as it will allow access to the Luci UI without 2FA!
    (I advise against enabling it)

  • Firewall Rules:
    Check if any firewall rules aren’t working
    If so, try removing the source zone and leaving it as “any.”
    From the tests I’ve done, it seems that if both zones are assigned, it doesn’t seem to work properly

  • FlashStart:
    If you use FlashStart, make sure the blue interface is active as well. In my case, it was only active for the green interface.

  • Threat Shield:
    Enable Threat Shield even without active lists (I recommend FireHOL level 1 compilation) to enable banIP (the old fail2ban). I’m still having some issues with this, but tech support is working on it

  • MultiWAN:
    If you use MultiWAN, make sure the WANs are set up correctly. You’ll probably find them in balance mode.
    If you had them in backup mode, switch them back.

  • DNS Resolution with Windows Domain Controller and VLANs:
    If you have a Windows Domain Controller and some clients are on the green interface while others are on a guest VLAN (in a different network class than the server), you might find that clients on the VLAN will no longer be able to authenticate and query the domain controller.
    Obviously the clients had the IP of the domain controller as DNS on the network card.
    This is likely due to NethSecurity 8 handling DNS requests differently than NethSecurity 7, even if you manually set the domain controller IP as dns in the firewall and create the correct DNS record.
    The solution is to specify the domain controller IP in the DNS settings of the firewall, using this syntax:
    /domainname/serverip
    In this case, requests are handled correctly.

Overall, I’m happy with the migration. NethSecurity 8 feels much smoother and more responsive.
Ok, obviously there are some things to fix manually but it was much easier and faster than I expected.
Good job

I hope that I was helpful to those who will migrate!
:grinning:

8 Likes
2

Welcome @izuky and thank you for wonderful feedback and congrats on your migration(s)!

I’m sure it will make more then a few people proud over at Nethesis :slight_smile:

Again, welcome!

3 Likes
3

Welcome Riccardo,
thanks for the detailed report!

I really liked how you described the steps to do after a migration, this could be used to improve the documentation. :heart_eyes:

Some things can’t be configures like NS7 so a double check is needed, but some parts can be improved.

IPsec VPNs:

Did you have a multiwan policy on NS7 to achieve the same?

Firewall Rules:

This sounds like a bug: can you report a rule created on NS7 that has this problem?

4

Wow this is so useful! Thanks for that.
Amazing testimonial

5

Hi Giacomo,
for the IPSEC, yes I had a multi wan in both cases.

In the first firewall there was an ipsec but the traffic passed through the second wan (PPPoE in backup).

In the second firewall there was an IPsec but the traffic passed through the first wan (not a PPPoE but with public ip).

For the firewall rules,
I fixed them all quickly, but they can easily find the original rule from the ns7 backup.
Here’s one that I’m sure didn’t work:

config rule ‘ns_63’
option proto ‘all’
option dest ‘
option src ‘guest’
option name ‘Consenti_Marcatempo’
option target ‘ACCEPT’
option ns_service '
option log ‘0’
option enabled ‘1’
list src_ip ‘192.168.6.90’
list dest_ip ‘172.16.1.0/24’
list dest_ip ‘172.16.2.0/24’

On ns8 I had to put “any” as source and guest as destination or the rule didn’t work.

2 Likes
6

@giacomo I just realized that a rule I hadn’t changed isn’t working.
Here is the rule before the change:

Screenshot 2024-09-18 172136
Screenshot 2024-09-18 1721361536×163 17.7 KB

And here’s the rule I just changed and it works:

image
image1541×166 15.9 KB

1 Like
7

Hi Riccardo,
thank you for your clear and very useful report.

About IPsec and MultiWAN: only recently after a long investigation we found the root cause that is related to specific rules for traffic coming from the firewall itself.
Until the fix is not released a specific route is still the best work around

About the firewall rules, thanks to your feedback we are releasing un update for the firewall migration tool for NethServer 7 that will fix all the issues with vpn zones (openvpn, rwopenvpn, ipsec) for both rules and also port forwards (we found a problem in the zone name used for the reflection_zone).
This will also fix an issue in rules with custom zones created in Nethserver7 that we found previously.

8

New issue created: Migration: FlashStart not enabled on guest/blue interface · Issue #792 · NethServer/nethsecurity · GitHub

1 Like