If it were a small update there are ways to force it back but given the scope of the changes between 2.4.3 and 2.4.4, it will indeed require a reinstall and to restore an old backup from before the upgrade.

@stephenw10 Perfect - Thanks!

This is resolved. There was a hangup with the peer identifier being returned by some FWs. By forcing all IPSec connections to use "IP address" the remaining sites connected. The specific error message that led me to this solution was like this: no IKE config found for 123.124.125.126...131.132.133.134, sending NO_PROPOSAL_CHOSEN (note IP's have been changed for security reasons). Thanks, Frank

@derelict Nope, 100/100 Mbit's fiber, the whole download process was strangely slow too. EDIT: But wow... I see now when measuring I only get like 7 Mbit/s down......... Is there a package in pfsense where I can log the speed over time and make a nice graph over it?

I found the cause of the problem! My network cable (in the wall) which is leading to the ISP switch is only Cat 5 and my hardware / pfSense could not measure it was only "100baseTX <full-duplex>" so after setting this manually it went pass the configuring WAN step. Now I am installing updates tho! :)

@gertjan said in UPDATE Offline: But also : these systems seem pretty mission-critical to me. The fact that they are isolated takes away all forms of "firewall aggressions" from the outside. Being isolated does not necessarily reduce risk. The biggest threat is human error with portable media (USB sticks, flash memory cards, etc.) that can "migrate across" those data diode devices I mentioned. Of course there are many rules and procedures governing portable media control, but any process with a human involved can break. The firewalls are used to segment various control and monitoring networks and plant systems from each other. They provide routing between control networks when necessary and police the traffic that passes to insure it is authorized and expected. So really not any different from what firewalls do at the perimeter of any network and the Internet. You want to keep your firewall software somewhat current to stay ahead of any known flaws. Anti-virus software updates are another problem in need of a good offline update solution. Again, because of the threat posed by USB devices and other portable media, you want your workstations on control networks running AV. But AV quickly becomes useless without weekly and sometimes daily updates. All of this is a big headache for the cybersecurity guys working the nation's critical infrastructure ...

2.4.4 is not yet released. It's still in development.

Thanks for the quick reply @kpa The USB boots with UEFI enable on my test laptop, so that seems to be the main issue. I hope my (very old) pfsense box has UEFI to boot from... Cheers.

sounds good, thanks buddy.

If this is on 2.4.4 snapshots, there is a known issue there that already has a thread and a redmine entry. If this is not on 2.4.4, but a different version, you'll need to provide a lot more information before we can speculate about the cause or solution.

Are you certain you are using the most current version of the package? The logs would suggest that error is months old.

also i have problem in 2.4.2-RELEASE (amd64). patch not working. also i tried do it by manual lines was different. is anybody have this problem in 2.4.2?

I have an instance running just fine in OVH. Once I installed it, I had to double check the interface to make sure they were connected to the correct networks. I also had to clone the MAC from the NIC on ESXi for the WAN interface in pfSense to get it to work.

Found out what was causing the error. I had an outdated package catalogue. To fix the error I used the following commands from the shell: pkg-static clean pkg-static update -f The force is necessary for the update, since the pkg manager thinks it is up-to-date.

That is kind of what I was afraid of but there is no way for me to connect it somewhere to test it.

Try the setting to show packets blocked by the default block rule, in the firewall logs, and see if that shows your blocked packet. When you say "from LAN" do you mean from a PC on the LAN or from pfSense on the LAN interface? On the LAN side there should be a default rule to allow from IPv4 * (any protocol) with source LAN, to WAN.

For all following - this has been resolved and I have now successfully installed 2.3.5 and cleanly upgraded to latest 2.4.1 via web console. Root of boot / install failures was using a Prolific 2303 driver with Win 10. Finally dug up a serial header to attach to desktop and bang! Booted right into installer and deployed to mSata drive on first attempt. For anyone that might run into similar issues, be very certain the serial connection being used is either direct or running under something other than Win10 on that particular serial-to-usb controller.