Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Got pfSense on Azure working but pfSense update breaks

    Scheduled Pinned Locked Moved Firewalling
    11 Posts 4 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • NightlySharkN
      NightlyShark
      last edited by

      First of all, (because I know nothing of Azure) do you have the option to pass the VNICs as PCIe devices and not VIRTIO?

      Second, did you apply a rate limit on the NICs (from the Azure GUI) that matches that which Azure can manage? (Virtual NICs have issues with bandwidth, especially if the arrangement is virtual to bridge to firewall to bridge to virtual (which I suspect is the case for Azure VMs, could/must be wrong, though), I found, even in my Proxmox VIRTIO vtnet bridges it is best to manually set 1GBit and a 1500 MTU, otherwise I get packet drops).

      Third, because running a VM on the cloud means that it accesses the internet from a Datacenter and most (big) DNS providers use different server clusters geographically with the same IPs globally (see 8.8.8.8 and 1.1.1.1) and have ISPs modify their routing tables, could it be that you use a DNS server for PfSense that is meant to be used by the public and not by an Azure Datacenter? Those errors at the end of the log could also mean that the IP of the update server is not accessible from the Azure "location".

      Four, did you disable all offloading (most probably, yes, I imagine)?

      Five, does the Azure VM stack allow you to accelerate AES-NI workloads? If not, 2-3 IPsec or OpenVPN site-to-site--s would bring the VM to it's knees.

      D 1 Reply Last reply Reply Quote 0
      • S
        SteveITS Galactic Empire @doiiido
        last edited by

        @doiiido FWIW Netgate sells this as a service…https://www.netgate.com/pfsense-plus-software/how-to-buy#Azure

        https://docs.netgate.com/pfsense/en/latest/solutions/azure-appliance/faq.html#does-the-appliance-support-a-live-update-of-the-software

        https://www.netgate.com/pfsense-plus-azure-cloud

        I thought they had an Arm Azure version too but not finding it.

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        D 1 Reply Last reply Reply Quote 1
        • D
          doiiido @SteveITS
          last edited by doiiido

          @SteveITS
          Yep, but I've created a Community Edition version (pfSense CE) from scratch on hyper-v and uploaded it.
          Everything works but it can't update on GUI because of this weird bug....

          1 Reply Last reply Reply Quote 0
          • D
            doiiido @NightlyShark
            last edited by doiiido

            @NightlyShark
            Hi,
            Azure doesn't have much options on the VMs hardware intrinsics and everything is shown to the VM the same way as it was on hyper-v, I haven't changed the rate limit but don't think it's an issue because the internal VMs and the sites both have flawless conectivity.
            Offloading is disabled and AES-NI is supported but doesn't work (openssl shows errors related to it on logs if enabled).

            About the routes, I'll be checking the outbound packets to discover the IPs used by pfsense for update, but it seems weird as every other service from global ips routes and works (DNS, NTP, Microsoft, etc...)

            I run 4 site-to-site tunnels, the cpu usage is about 10% and memory is about 50% on a B1S size machine (1 vcpu, 1GB RAM).

            Best Regards,
            Lincoln.

            NightlySharkN 1 Reply Last reply Reply Quote 0
            • NightlySharkN
              NightlyShark @doiiido
              last edited by

              @doiiido The last think that comes to my mind is to check if DNS resolution is OK, and then if there is any firewall from the Azure side

              1 Reply Last reply Reply Quote 0
              • M
                markes20754
                last edited by

                Did you ever figure this out? I've spent hours uploading different configs of 2.7.x CE to Azure and they can all take updates on-prem but break after being moved to Azure. 2.6.0 doesn't have the problem but if you update 2.6.0 to 2.7.0 in Azure it breaks all updates with the same symptoms you've described.

                S 1 Reply Last reply Reply Quote 0
                • S
                  SteveITS Galactic Empire @markes20754
                  last edited by

                  @markes20754 There was another thread I guess it was around the same time as this one, where Netgate said they put some changes/fixes/drivers/whatever into Plus to let it work on Azure. Info on their solution is above.

                  Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                  When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                  Upvote 👍 helpful posts!

                  M 1 Reply Last reply Reply Quote 0
                  • M
                    markes20754 @SteveITS
                    last edited by

                    @SteveITS Thanks -- odd because PFSense has been working in Azure for quite a bit and upgrades worked. Now no packages can be downloaded or anything as of 2.7.0

                    D 1 Reply Last reply Reply Quote 0
                    • D
                      doiiido @markes20754
                      last edited by

                      @markes20754 You can restore the dpkg files and folder from the local image and update through dpkg, but the GUI updates no longer work.

                      M 1 Reply Last reply Reply Quote 0
                      • M
                        markes20754 @doiiido
                        last edited by

                        @doiiido Thanks -- as much as I held off I just went with OPNSense for my Azure deployments. Hopefully Netgate addresses the issue in CE but I suspect they've blocked Azure Hardware IDs from getting updates if they're not paying and CE got included in that.

                        1 Reply Last reply Reply Quote 2
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.