pfSense Plus Software Version 23.01 is Now Available for Upgrades

Gertjan

Initially, I wanted to wait until morning.
Like my favorite You-tuber always says "Let Mikey go first ...".

But hey, I've ZFS, so I prepared a 'I was here' point with a click.
Rebooted pfSense for good manners.
Checked available disk space.
Made a extra copy of the config.xml.

I upgraded using the console, option 13, as this shows what happens, my terminal sessions are logged for 'later analyses' if needed.

It was a no brainer.

*** Welcome to Netgate pfSense Plus 23.01-RELEASE (amd64) on pfSense ***

Btw : When I came home yesterday, Youtube wanted me to see this :

pfSense Plus 23.01 Release & Update Details

bingo600

I just upgraded a backup/test machine - Hystou i5 .. Protecli (clone) w. 5 x EMx netcards.
Upgraded wo. a hitch, including all packages

CPU & Mem usage seems to be the same

22.05

23.01

I only have Wan + Mgmt IF connected, so not really a good test.
But it upgraded perfectly.

/Bingo

lpfw

I would say stay away
breaks DNS resolver and pfblocker
nothing but problems
seems to randomly stop working
pcap just says server failure
nothing useful in logs or dns resolver status

have another host that won't accept IPSEC connections

bingo600

@lpfw said in pfSense Plus Software Version 23.01 is Now Available for Upgrades:

I would say stay away
breaks DNS resolver and pfblocker

Unbound seemed to work fine for me, but then i'm just forwarding to my own bind9 servers.
Don't use pfBlocker, i use pihole.

Thanx for the info though.

I'm usually not a first mover, on the new releases.
At job, that would be super bad ...
At home "it would hurt my ears" if SWMBO lost Netflix

But i actually think it was the easiest upgrade i ever had ... Not even zabbix_agent "barfed".

/Bingo

DefenderLLC

@lpfw said in pfSense Plus Software Version 23.01 is Now Available for Upgrades:

I would say stay away
breaks DNS resolver and pfblocker
nothing but problems
seems to randomly stop working
pcap just says server failure
nothing useful in logs or dns resolver status

have another host that won't accept IPSEC connections

Don't forget that after the PFblockerNG package gets updated, which it does as part of this 23.01 upgrade, you have to do a manual force reload in PFblockerNG to update your IP/DNSBL lists.

bmeeks

Upgraded an SG-5100 the day of the 23.01 release without issue. Still running just fine. The only installed optional package is the OpenVPN Client Export package.

DefenderLLC

I have noticed a significant increase in memory utilization since upgrading. On 22.05, my 6100 MAX would usually hover around 18% utilization, but on 23.01 it slowly increases to 38% or more until I reboot it.

I have a fairly simple deployment and the culprit seems to be Unbound and ntop.

HuskerDu

I was quite upset on this upgrade, based on major releases for several components... but I was wrong.

Careful planning, and it went smoothly. 3 days uptime with no issues.

FollyDude 0

After running for about 3 days on 23.01, I had to back out to 22.05. I am running on a Netgate SG-6100. 900 down/100 up Mbps PPPoE connection (UK Zen). Not a complicated configuration, only a few firewall rules.

I was having performance problems that mostly showed as slow web page loads. I thought it might be a DNS problem, but I found nothing conclusive. I spent waaay too much time troubleshooting this, so I decided to back out.

After backing out to 22.05 with a ZFS snapshot, the performance was back to normal.

Just adding my $.02

FollyDude

SteveITS

@follydude-0 Next try, or for others with a similar issue…if you have DNS Resolver set to forward, uncheck the option to use DNSSEC and see if that helps. It did here, I’ve seen a few other posts, Quad9 says it can cause false failures, and Netgate has that tidbit (to disable it) in a troubleshooting doc or other doc page I’m not finding again at the moment.

barber

Hi all,

just my experience: very poor network performance on upgraded version.

Immediately revert back to 22.05

barber

FollyDude 0

@steveits

Thanks for your input, in my case I am not using DNSSEC but DNS over SSL/TLS with Cloudflare DNS servers.

iulianteodor

I would like to know what is the most correct procedure for updating to version 23.01.
I had problems updating with 3 devices. 2 non-Netgate hardware and 1 Netagate 2100.
A. For a non-Netgate hardware and the Netagate 2100 the procedure was as follows.
1. Backup to the configuration, 2. disabled pfblocker (Keep Settings), 3. System/Update/System Update.
At the first pfsense crashed and the Netgate 2100 did not boot.

B. For the second non-Netgate hardware the procedure was as follows.
1. Backup to the configuration, 2. pfblocker enable, 3. System/Update/System Update.
Also pfsense crashed.

I still have about 4 devices to update and I don't know what I should do to avoid situations like this

SteveITS

@iulianteodor The recommendation in the upgrade guide is to uninstall packages, not disable them. It’s supposed to work, and the upgrade will upgrade the package too, but it’s cleaner if you do it.

The 2100 (and 1100) had a bug apparently due to early (ufs?) models having a small EFI partition. I hit it too but I expected it because I was intentionally testing it for Netgate in a thread discussion. The update was pulled: https://forum.netgate.com/topic/178049/pfsense-plus-23-01-updates-on-the-1100-and-2100-systems. Per other threads, even knowing the conditions Netgate wasn’t able to replicate it.

Sorry to hear of your experience. I’ve updated many routers at many clients the last 15ish years and problems are rare. 23.01 was a major OS upgrade and a major PHP upgrade so I personally was expecting some rough edges, especially in packages, which are often by third parties. Usually I watch the forums for a week or two before starting to test.

iulianteodor

@steveits I've been using pfsense for more than 5 years and it's the first time I've encountered problems like this.
I recovered the Netgate 2100 with installation with ZFS. I did not succeed with UFS. Clearly, as you say, due to the small partition.
The following devices I will do as you said with the uninstallation of the packages.
Thank you very much!

saerdna

@mwatch what about a CE 2.7 release? Are there plans for a new release or will CE be phased out silently? In former times CE and plus arrived at the same time, until now i can't here anything about a new CE release ...

SteveITS

@saerdna https://redmine.pfsense.org/projects/pfsense/roadmap

saerdna

@steveits thnaks for the link to the roadmap. The open bug reports have "Target Version: 2.7.0" and "Plus Target Version: 23.05", so the new CE 2.7.0 will be released with plus 23.05 in maybe 4-6 months?

SteveITS

@saerdna I was just trying to point out 2.7 still existed. re: target versions, they tend to show a version instead of "next" for open issues. Up until 23.01's release they were all 2.7 and 23.01. So I don't think one can assume 2.7 will be tied to any Plus version. Seems they are disconnected now. Per https://www.netgate.com/blog/pfsense-plus-pfsense-ce-dev-insights-direction "There will be CE releases after 2.6, but unlike Plus, they’ll be done when they’re ready, not on a regular cadence."

A Former User

There is a certain irony here with this split between the CE version and the + version in that those paying for (via hardware) or opting for the + version end up being BETA testers for the upgrade process and the new version.

Those not opting for the plus version and so deliberately getting the upgrade delayed to their CE version, actually end up with the better experience!

Just seems a bizarre approach by Netgate.