pfSense Installer Hinders Offline Network Deployment

ToeiRei

Hey pfSense Community,

Remember when firewalls were supposed to keep things safe? Now they're holding our entire network hostage! — at least that's how I feel about the new installer. I'm prepping for LinuxDay Con and trying to get a couple of firewalls running. Doesn't sound like a big deal, right?

The catch? We don't have a working network at the venue yet! The pfSense installer needs an internet connection to function, but we need the firewalls up before we can even establish that connection. It’s like needing a phone charger to charge your phone, but the only way to get that charger is by using your phone to call your friend to bring you one over.

We're running borrowed PCs and some questionable makeshift network setups just to get anything running – so a reinstall on site is a must as we cannot trust the previous install if there was any. Right now we're doing some whacky LTE hotspot to ethernet workarounds on bad coverage, leaving us with a deployment time of roughly 1 hour per firewall. With the old installers, we had them up and running in like 10 minutes.

It’s a serious roadblock for offline deployments like ours.
What are your thoughts? Any workarounds, suggestions, or solutions that haven't involved pulling out my hair yet?

Rei

slu

@ToeiRei
100% ACK, I see and had the same issue.

Using my LTE router to install the pfSense, no fun at all.

stephenw10

If you're installing CE then just use the legacy installer(s).

Steve

ToeiRei

@stephenw10 Hi Steve. Thank you for your reply.

The legacy installers are not officially offered on the homepage. If I go to the pfsense homepage (pfsense.org) and click on "Downloads" (https://pfsense.org/download/) it redirects you to a page that gives you a button labeled "Download" which sends you over to https://shop.netgate.com/products/netgate-installer which is that online shop where you get forced to the new installer.

No link on that page pointing to something even close to the old installer.

Please do understand that my beef is not with the installer itself but the forced online install as I have to deal with situations where I do not have network and thus requiring a way to install stuff online for reasons like USB Tethering, PPP, PPPoE and all that nasty stuff that's still out there.

I do see the nice features of an online installer, don't get me wrong. But if you're out and about and happen to have no network or bad coverage, you're screwed.

stephenw10

Yup, I understand. The installer is still in flux and feedback like this helps. Thanks.

slu

@stephenw10

maybe it's possible to bundle the online installer with the CE edition?
Without internet connection it's only possible to install the CE version?

As wrote in the other topics, for me install pfSense normally mean a huge issue with my pfSense or in other words no internet connection.

ToeiRei

My problem is really the amount of weird setups I stumble upon and it's a real headache to deal with non-offline installations.

My suggestion would be a flow like this:

1. Community or Plus? (plus can check for their stuff online as a warning somewhere)
2. Offline or online install?

The legacy installer was such a no-brainer as well that you could do it blindfolded, sleeping on the enter key. I am aware that we are still a far cry away from an unattended installation and I don't mind it. I just would love to see that simplicity back again to not worry about network interface assignments until that thing is installed, somewhat secured and ready to go online.

Recent incident was a broken down firewall pc - backup available. So instead of just installing, I had to guess the right interfaces for the installer instead of a no-brainer install, restoring the backup and being able to do something quickly. I guess you can see how frustrating that was as I would not trust a random pfsense image pulled from a google search.

By now I have an ISO file that I treasure for getting around the installer backed up at least 3 times.

slu

@ToeiRei
https://forum.netgate.com/topic/189034/whats-happed-with-pfsense-ce-edition?_=1726836650259

ToeiRei

@slu don't get me wrong, but this starts to feel a tad like a dumpster fire for CE users.

Gertjan

@ToeiRei said in pfSense Installer Hinders Offline Network Deployment:

What are your thoughts? Any workarounds, suggestions, or solutions that haven't involved pulling out my hair yet?

Hair ?
That's close to the brain ... use that !

Here : click on the image, and see for yourself :

You'll find an answer on the first marked link.

chpalmer

@ToeiRei said in pfSense Installer Hinders Offline Network Deployment:

We don't have a working network at the venue yet!
It’s a serious roadblock for offline deployments like ours.
What are your thoughts?

Opinions are like as*holes.. everybody has one, or so goes the saying.. ;)
Educated opinions such as yours are somewhat a bit rare and obviously should be considered a bit more.

I would ask if you had actually downloaded any of the installers before arriving at your venue?? Experience has taught me that I can not do without having my personal Mofi router with me anywhere I go due to this kind of situation. (Maybe I have become more educated or cynical.. or both..) Truthfully I do not trust anybody to have thought this out so I have to before I go to my remote sites to work.

I would agree that in this particular kind of application that maybe the full installer is the better choice to put out there for initial install but then during setup offer the user to update the system to the latest files and packages. Its not like this software is a browser or other client side application that assumes that you already have network connectivity in place.. Sometimes the latest and greatest methods are not for everybody.

But my advice is to always look for what could bite you in the days before during the planning stages.. that kind of thing could look good on your resume later.

ToeiRei

I wouldn't consider my opinions more educated than others - I just had more time to make mistakes compared to other folks due to my age - and tried to remember a few of the things that went boom in my career.

@chpalmer said in pfSense Installer Hinders Offline Network Deployment:

I would ask if you had actually downloaded any of the installers before arriving at your venue??

I am having my ol' and trusty images by now plus a couple of ISO files on a Ventoy stick to save me some trouble as even a readily installed device can fail and you need to reinstall on a fresh disk in a pinch. Been there, done that.

@chpalmer said in pfSense Installer Hinders Offline Network Deployment:

But my advice is to always look for what could bite you in the days before during the planning stages..

Borrowed hardware on a budget is a sure way to bite you. Question is not 'if', it's 'when'. Especially when you receive certain parts just on site. We do get sponsored hardware at some point which are questionable as well and you get them a couple of hours before the opening. So firmware and stuff is really handy and a small fileserver in the admin vlan hosting that stuff is a must have at that point.

My worries is really about the future deployments to come especially on some crucial infrastructure like a firewall...