pfSense 2.8.0 full iso/img

ryan87

@stephenw10 said in pfSense 2.8.0 full iso/img:

I mean there is an ISO image for the Net Installer. I assume you mean an offline install image?

It adds a bunch of testing for us to have multiple installers.

You can still just use the 2.7.2 legacy image and upgrade though.

That's not a great solution for us. We have a bunch of legacy APU2 devices that are going to need to be upgraded and the second 2.8.0 upgrade I tried obliterated the FW I was upgrading.

With 2.7.2 and earlier, our recovery plan would be someone going on-site, installing 2.7.2, and restoring a backup. That worked great because we have our own backup system where we can drop the config on a USB and have a system restored in ~5m.

Now, we're going to have to endure an upgrade that, after uninstalling and re-installing packages as recommended, is going to take 15-30m and may or may not work. Or the other option is to waste time with the online installer where we need to have the WAN settings documented and entered by hand.

So recovery from a failed update has gone from a simple process to a convoluted mess and changed from being something that we can deal with quickly to something that's an embarrassment for us while we sit on site with downtime that's far worse than it used to be.

All of our new installs are official Netgate devices now, but I still have ~125 APU2s to deal with. The online installer is a pain for all devices.

For our use, the online installer is an objectively worse experience. I personally hate it. I'm already getting pressured to switch to Ubiquiti FWs and now I'm going to have to explain how our current solution just got worse. How do I keep pitching pfSense? I'm so frustrated by this.

nazar-pc

I'm sure there are reasons behind such moves, but I can't think of any that are beneficial for the pfSense CE community.

For example, I can't download now because apparently Netgate store is banned (incorrectly mind you, had no idea that this was the case) in my region, even though I didn't mean to buy it, only to download an ISO of supposedly Open Source project, which apparently no longer exists.

So I can't really run a script to build it from source, I can't download a prebuilt ISO either. Does it improve my confidence in pfSense CE? Not really.

In fact I'd be happy to pay some amount for CE that use use for personal purposes, but not for Plus that can be pulled from under me at any time (I remember community was encouraged to upgrade for free not so long ago, but then apparently was left without clear downgrade path).

Please seriously reconsider your relationship with Open Source community, it could use some improvement.

UPD: I was just thinking about reinstalling my VM to switch from BIOS to UEFI. But since Internet comes from that VM, I can't really do that without offline installer (let alone I'm unable to download even online installer now). I could install 2.7.2 first, but then backup from 2.8.0 will likely cause problems. You cause so much frustration for me now

ryan87

I can't edit my post anymore, but I spent a few hours trying to reproduce my upgrade failure and couldn't. Based on what I tested, I had a hardware failure during the update since a reload / restore of 2.7.2 didn't help (WAN was flapping up and down every second). So, to be clear, the issue I had didn't have anything to do with the update to 2.8.0.

Patch

@nazar-pc said in pfSense 2.8.0 full iso/img:

I'm sure there are reasons behind such moves, but I can't think of any that are beneficial for the pfSense CE community.
…
I can't really do that without offline installer … so much frustration for me now

You are dreaming if you think Netgate are going to provide an offline installer for their free but not paid version. I agree an online installer is more convenient however it makes no business sense for Netgate to make using their free version a better experience than their paid version.

If there is any chance of improving the CE experience it will have to be at least as good with the plus version.

I suspect it comes down to Netgate having an enforceable mechanism of pfsense run time use. Imo probably best done by requiring regular run time license validation, with failure resulting in staged reversion to CE, with generous warning. Doing so would enable transfer of plus license to different hardware and offline plus installation.

Vetal

@stephenw10

Upgrade is not the same as clean install

uname -r
15.0-CURRENT

awk '/__FreeBSD_version/ {print $3}' /usr/include/sys/param.h
numbers
is
'/^\#define[[:space:]]*__FreeBSD_version/

1400094

Clean upgrade from 2.7.2

I am porting zerotier to pfSense and this marketing with online installer stinks bad.

stephenw10

Hmm, not sure what you're showing here?

The upgrade from 2.7.2 uses the same pkg repos the Net Installer does.

quantum007

The move to a unified installer I can understand a bit, but the lack of offline install support is a bad move by Netgate. With this single decision Netgate has chosen to almost completely eliminate themselves as a option for every non-internet connected, high security, or classified system around the globe. I highly suggest Netgate reconsider releasing offline install packages.

dark.baritone

Just noticed this after posting here

@dark-baritone said in Internet Connection Required On New Installations:

Re: Mandatory internet connection on new pfSense installer

@stephenw10 advantages for whom?

It's completely nonsensical for router firmware to require an internet connection. What if I want to setup VPNs before I make any outbound network connections? What if my internet hasn't been installed yet and I want to setup my internal network while I'm waiting? What if my ISP requires some advanced configuration in order for me to connect? What if I need to assign a specific MAC address in order to connect?

There are myriad different reasons why we wouldn't want to install with internet access.

If you want to give someone the OPTION of checking for the latest update before installing, that's absolutely fine.

Literally every Linux distribution works like this. There is no reason that pfSense can't do it.

The old (correct) images are available here but the new 2.8 version is not there. When are those going to be added to the list?

dark.baritone

Additional feedback on Reddit

dark.baritone

@stephenw10 it was noted on that Reddit thread by gonzopancho (who seems to be the CEO?) that there is an offline pfSense Plus installer? Is this only available for Netgate hardware or can users install via a fresh install completely offline?

tgbauer

Netgate installer 1.0-RC1 fails to install properly on HPE ML30g9. pfSense 2.7.0 installer works as expected.
Also, Netgate installer doesn't have the normal way of configuring ZFS before install (setting swap size for example), but pfSense 2.7.0 installer does.

Would prefer an option to include (or add) all the needed files in USB image, so that it can work without internet connection.

and for the ZFS options to be added back into installer.

tgbauer

Well, looks like it is the new kernel (or the configuration for it). After upgrading it won't boot with default kernel, but will boot with old kernel and works that way. Rolling back to 2.7.2 and will wait for a 2.8.x version with a kernel that works on an HPE ML30g9

stephenw10

The new installer has a bunch of additional options including SWAP size. Should be available pretty soon.

elvisimprsntr

BACKGROUND

With 2.7.2 CE, I have a USB flash drive with my most recent config.xml file for an emergency offline restore in case my appliance fails. It automatically install pfSense and my config.xml file during installation.

The reason is if my appliance fails (for what ever reason), since pfSense hosts all my services (DNS, DHCP, routing, etc.) I will loose access to devices on my network and internet until I have a working pfSense appliance. The only time I have needed to use it is when upgrading my pfSense appliance.

2.7.2 CE README.txt

Note: I simply dropped the config.xml in the root folder and confirmed it works.

Restoring an Existing Firewall Configuration (amd64)
----------------------------------------------------

An existing configuration file (config.xml) can be restored during the
installation process. Place a copy of the config.xml file on this FAT partition,
in this directory or under X:\conf\config.xml where X: is the letter of this
drive.

At the end of the installation process, this file will be copied to the target
drive and used in place of the default configuration. Packages will be restored
after the firewall boots with the new configuration in place.

MOVING FORWARD

Now that Netgate only offers an online installer, I loose the ability to perform an emergency offline install.

OPTIONS

1. Create a bootable USB flash drive with an disk image of my install to allow offline emergency restore. - TBD
2. Use the online installer with my config.xml and figure out how to get the appliance on the internet (Laptop on hotspot, appliance bridged to my laptop via wired Ethernet, etc.) - PITA
3. Simply resort to installing pfSense on a cold spare appliance and test swapping it out. - Advantage is I can get all the packages and patches installed, plus update Tailscale and its keys.
4. Figure out how to set up HA with a second appliance. - Additional power consumption and learning curve.

QUESTION

1. Has anyone figure out a way to make a bootable USB flash drive with an disk image of an install to perform an emergency offline install?

If not, I guess #3 is my only other easy option.

slu

@elvisimprsntr you can install pfSense and create a image with dd or clonezilla,...

stephenw10

You can also just install 2.7.2 and upgrade to 2.8 if your WAN doesn't allow using the current net installer. The upcoming net installer does allow a lot more options there.

dark.baritone

@stephenw10 please stop offering that as a solution. That will only be a possible solution until there's an upgrade to pfSense that offers an installable solution that is not available in 2.7.2.

For example, if ZFS was not offered in 2.7.2, but was in 2.8.0, then the only way to get ZFS would be to use the inferior installer and hence would not be able to be installed offline.

And to be clear, I'm a Plus customer and also find the online installer unacceptable. I have no problem paying for software.

It would be entirely possible to have the Plus activation key, once registered on an online system, to generate a system-specific installer key that could be derived with the activation token so that an offline install could be done while verifying (without internet access) that it had previously been installed on that system. Once the system goes online, it can do a further verification to make sure nothing had been spoofed.

chrcoluk

@elvisimprsntr I think the closest one might get is install 2.8 somewhere, then make an image of the installation, recover the image as a means of a offline install.

Luckily upgrading from 2.7.2 to 2.8 was easy for me, so the upgrade path at this time isnt a large chasm. So I do think a 2.7.2 install followed by in place upgrade is still a viable way to do it.

quantum007

@stephenw10
Several customers, including myself, have raised valid concerns about requiring an internet connection for the installer. While the stated rationale—“Having a single installer for both CE and Plus reduces the test load and potential for bugs”—is understandable, it does not prevent the option of also providing a USB or ISO image, or even a tool to generate offline installation media from the net installer.

Netgate should seriously consider this feedback. Ignoring customer needs, especially from those managing large deployments, complex networks, or high-security environments, risks losing them to competitors like OPNsense, Sophos, Juniper, or Palo Alto. These are not fringe use cases—they represent significant, enterprise-level customers.

Positioning pfSense primarily for home office or SMB deployments while closing the door on broader markets to simplify internal release processes is a short-sighted strategy. Listening to your customers is not just good practice—it's essential to maintaining relevance and market share in a competitive space.

chpalmer

As a remote radio tech that goes to places that I only might have microwave backhaul with no DHCP server on the far end...

I do not like this because I now have to set up equipment that I might not have before I left the shop.. but-

I like the idea of being forced to set up my equipment in the shop before I leave and not be such a lazy ass. I have a simple lab.. why don't I use it?!?

I carry a cellular router everywhere I go.. but I don't have service everywhere I go.- (if you are truly talking about your employment here then why don't you have one?)

But I can go back to where I have service... coffee shop, truck stop.. ect.. and set up my equipment there.. if I didn't at the shop.. and explain to the accountant why I charged such a long lunch to the company account..

Hmmm pros and cons.. Yes it will take some out of their comfort zone. Yes I am sure that Netgate is taking notes. And no I do not have any problem with Netgate grabbing some user statistics to let them know how to proceed in the future.

One more pro- don't have to constantly keep up with the newest version on my memory stick.