Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Searching network details related to pfsense updates

    Scheduled Pinned Locked Moved General pfSense Questions
    4 Posts 2 Posters 230 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pvswie
      last edited by pvswie

      Hi All,

      I am using a bunch of pfsense+ boxes (NG-1100 & NG-6100) on an internal network.
      I would like to be able to update these boxes. I see a few options:
      (1) The easy way (but not allowed by my organization and therefore not an option): Disconnect the boxes and connect them to an internet facing network, perform the update then disconnect and connect to the internal network again.
      (2) From each box, setup an additional network connection (using an unused network port) between to an internet facing network, perform the update then disconnect again.
      (3) Download the update (OS & packages) and using a USB stick move them to this internal network then perform an installation.

      As stated above my organization does not allow option (1). Option (3) is the preferred solution but I have no clue as to how to do this. Option (2) will lead to a discussion but if I come up with list of protocols and sites it might be allowed.

      Can anyone help here? Maybe shed some light on how option (3) would be possible or if that turns out impossible some details as to what (sites, protocols, etc) exactly is used when a pfsense+ box is updating. Yes, I know I could trace internet traffic while a device is updating but (a) this is a lot of work to setup then analyse and (b) potentially incomplete because the traced update likely does not update everything potentially resulting in some site / protocol not being used and therefore not captured by my trace.

      I hope someone can help

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        Option 3 is quite straight forward. Backup the config files. Boot from the recovery image on a USB drive and install the new version. Restore the config.
        Open a ticket to get the recovery images: https://www.netgate.com/tac-support-request

        The only issue with that is it will not be able to pull in any packages if you are using any.

        Steve

        P 1 Reply Last reply Reply Quote 0
        • P
          pvswie @stephenw10
          last edited by

          @stephenw10
          Hi Steve,

          Thanks for the reply.
          I do use packages so option 3 is a no-go if packages are not possible that way. The question then goes back to details as to what (sites, protocols, etc) exactly is used when a pfsense+ box is updating

          I hope someone can help.

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            It should be sufficient to allow https to 208.123.73.0/24. As long as DNS works locally.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.