Updating a new lab that is not in production yet
-
Hi all,
I am setting up a new pfSense router on a PC hardware. The install went smoothly, and then I restored a config that was created previously. So far the router works, connects to the ISP, and serves the LAN as expected. Now, I want to upgrade it from 2.6 to 2.7.Since the router is not in production yet, I plugged a LAN cable into its WAN port and temporarily switched the WAN iface to DHCP. It got an address, and then I tried to update/upgrade. It did not work due to the lack of DNS name for pkg.pfsense.org. I solved that by adding an entry for that name in the
/etc/hostsfile.Next, I got certificate validation and authentication errors and solved them by adding
env SSL_NO_VERIFY_PEER=1. This seemed to work in the beginning, but still not completely:/root: env SSL_NO_VERIFY_PEER=1 pfSense-upgrade -d >>> Updating repositories metadata... Updating pfSense-core repository catalogue... Fetching meta.conf: . done Fetching packagesite.pkg: . done Processing entries: . done pfSense-core repository update completed. 7 packages processed. Updating pfSense repository catalogue... Fetching meta.conf: . done Fetching packagesite.pkg: .......... done Processing entries: .......... done pfSense repository update completed. 532 packages processed. All repositories are up to date. >>> Locking package pkg... Locking pkg-1.19.1_2 >>> Upgrading pfSense-repo... Updating pfSense-core repository catalogue... pfSense-core repository is up to date. Updating pfSense repository catalogue... pfSense repository is up to date. All repositories are up to date. Updating database digests format: . done The following 1 package(s) will be affected (of 0 checked): Installed packages to be UPGRADED: pfSense-repo: 2.6.0_13 -> 2.7.0_2 [pfSense] Number of packages to be upgraded: 1 6 KiB to be downloaded. [1/1] Fetching pfSense-repo-2.7.0_2.pkg: . done Checking integrity... done (0 conflicting) [1/1] Upgrading pfSense-repo from 2.6.0_13 to 2.7.0_2... [1/1] Extracting pfSense-repo-2.7.0_2: .......... done >>> Upgrading pfSense-upgrade... Updating pfSense-core repository catalogue... pfSense-core repository is up to date. Updating pfSense repository catalogue... pfSense repository is up to date. All repositories are up to date. The following 4 package(s) will be affected (of 0 checked): New packages to be INSTALLED: pfSense-repoc: 20230616 [pfSense] Installed packages to be UPGRADED: libucl: 0.8.1 -> 0.8.2 [pfSense] pfSense-upgrade: 1.0_15 -> 1.0_33 [pfSense] uclcmd: 0.1_3 -> 0.2.20211204 [pfSense] Number of packages to be installed: 1 Number of packages to be upgraded: 3 The process will require 17 MiB more space. 5 MiB to be downloaded. [1/4] Fetching uclcmd-0.2.20211204.pkg: ... done [2/4] Fetching pfSense-upgrade-1.0_33.pkg: ... done [3/4] Fetching pfSense-repoc-20230616.pkg: .......... done [4/4] Fetching libucl-0.8.2.pkg: .......... done Checking integrity... done (0 conflicting) [1/4] Upgrading libucl from 0.8.1 to 0.8.2... [1/4] Extracting libucl-0.8.2: .......... done [2/4] Installing pfSense-repoc-20230616... [2/4] Extracting pfSense-repoc-20230616: .. done [3/4] Upgrading uclcmd from 0.1_3 to 0.2.20211204... [3/4] Extracting uclcmd-0.2.20211204: .... done [4/4] Upgrading pfSense-upgrade from 1.0_15 to 1.0_33... [4/4] Extracting pfSense-upgrade-1.0_33: ...... done >>> Unlocking package pkg... Unlocking pkg-1.19.1_2 pfSense-repoc-static: failed to fetch the repo data failed to read the repo data. failed to update the repository settings!!! failed to update the repository settings!!!Can anybody tell me what I am still missing?
-
@wschvex said in Updating a new lab that is not in production yet:
failed to read the repo data.
failed to update the repository settings!!!
failed to update the repository settings!!!It needs to reach ews.netgate.com to update those.
But why does it not have DNS? It should just be using the upsteam router for DNS if it hands it's own IP to use via DHCP. Or resolving directly.
And why is it seeing bad certs? Is it behind a proxy?
You could just install 2.7.2 directly and restore the config into it.
-
@stephenw10 said in Updating a new lab that is not in production yet:
@wschvex said in Updating a new lab that is not in production yet:
failed to read the repo data.
failed to update the repository settings!!!
failed to update the repository settings!!!It needs to reach ews.netgate.com to update those.
But why does it not have DNS?
I do not know whether it does or it does not.
Our LAN's DNS works flawlessly for everything but this pfSense lab. I have no way of knowing what pfSense needs.It should just be using the upsteam router for DNS if it hands it's own IP to use via DHCP. Or resolving directly.
And why is it seeing bad certs? Is it behind a proxy?
There is no proxy.
You could just install 2.7.2 directly and restore the config into it.
Agreed. That's probably a smarter option than to chase answers on the Internet.
-
Weird though. There must be something in the config.
By default it resolves locally using Unbound and prefers that. But if that fails for some reason it will fall back to using any DNS servers passed to it by DHCP.
-
You are probably onto something.
In the pfSense general config, I've put the external DNS servers (the ISP's)
Our current router is the DNS server for the LAN. It forwards and blocks access to external DNS servers from the LAN.
Its address is sent to every DHCP client, and that is what the WAN interface of pfSense would have gotten.Could there be a conflict between the DNS servers in the general setup (the ISP's DNS servers) and the DHCP-supplied LAN DNS server? Perhaps I should temporarily replace the ISP's DNS servers in the general setup with the local DNS server's address?
-
Yes that or change the preference setting there to allow DHCP supplied servers to override the configured servers.
-
Tried to check off that box - no dice.
/root: pfSense-upgrade -d pfSense-repoc-static: failed to fetch the repo data failed to read the repo data. failed to update the repository settings!!! failed to update the repository settings!!!Added to /etc/hosts
208.123.73.69 ews.netgate.com ewsand
/root: pfSense-upgrade -d Migrating /cf to ZFS dataset pfSense/ROOT/default/cf... done. Migrating /var/cache/pkg to ZFS dataset pfSense/ROOT/default/var_cache_pkg... done. Migrating /var/db/pkg to ZFS dataset pfSense/ROOT/default/var_db_pkg... done. >>> Updating repositories metadata... Updating pfSense-core repository catalogue... pkg-static: https://pkg.pfsense.org/pfSense_v2_7_0_amd64-core/meta.txz: Unknown resolver error repository pfSense-core has no meta file, using default settings pkg-static: https://pkg.pfsense.org/pfSense_v2_7_0_amd64-core/packagesite.pkg: Unknown resolver error pkg-static: https://pkg.pfsense.org/pfSense_v2_7_0_amd64-core/packagesite.txz: Unknown resolver error Unable to update repository pfSense-core Updating pfSense repository catalogue... pkg-static: https://pkg.pfsense.org/pfSense_v2_7_0_amd64-pfSense_v2_7_0/meta.txz: Unknown resolver error repository pfSense has no meta file, using default settings pkg-static: https://pkg.pfsense.org/pfSense_v2_7_0_amd64-pfSense_v2_7_0/packagesite.pkg: Unknown resolver errorAfter that, the system does not boot: Config.xml is corrupted and 0 bytes...
Nice! -
You should consider making pfSense more robust and less fragile.
Bricking the user's router as a result of an unsuccessful upgrade should not be an option.
The config update should be the last step that only executes after a successful, complete upgrade.
If the config is corrupt, the device should not brick as it does. There should either be an option to reset to factory, which does not work in my case and immediately outputs the same error and menu. Instead, on each successful boot after a config file update (archive bit), a backup copy of it should be taken and restored if the config is found to be broken.
Seeing how pfSense struggles to update (which also takes forever) and then bricks itself, I have no choice then to wipe out the lab and cross it off the list of solutions to our router replacement, which is a damn shame because otherwise pfSense is perfect.
