pfSense 2.8.0 full iso/img

tgbauer

Well, looks like it is the new kernel (or the configuration for it). After upgrading it won't boot with default kernel, but will boot with old kernel and works that way. Rolling back to 2.7.2 and will wait for a 2.8.x version with a kernel that works on an HPE ML30g9

stephenw10

The new installer has a bunch of additional options including SWAP size. Should be available pretty soon.

elvisimprsntr

BACKGROUND

With 2.7.2 CE, I have a USB flash drive with my most recent config.xml file for an emergency offline restore in case my appliance fails. It automatically install pfSense and my config.xml file during installation.

The reason is if my appliance fails (for what ever reason), since pfSense hosts all my services (DNS, DHCP, routing, etc.) I will loose access to devices on my network and internet until I have a working pfSense appliance. The only time I have needed to use it is when upgrading my pfSense appliance.

2.7.2 CE README.txt

Note: I simply dropped the config.xml in the root folder and confirmed it works.

Restoring an Existing Firewall Configuration (amd64)
----------------------------------------------------

An existing configuration file (config.xml) can be restored during the
installation process. Place a copy of the config.xml file on this FAT partition,
in this directory or under X:\conf\config.xml where X: is the letter of this
drive.

At the end of the installation process, this file will be copied to the target
drive and used in place of the default configuration. Packages will be restored
after the firewall boots with the new configuration in place.

MOVING FORWARD

Now that Netgate only offers an online installer, I loose the ability to perform an emergency offline install.

OPTIONS

1. Create a bootable USB flash drive with an disk image of my install to allow offline emergency restore. - TBD
2. Use the online installer with my config.xml and figure out how to get the appliance on the internet (Laptop on hotspot, appliance bridged to my laptop via wired Ethernet, etc.) - PITA
3. Simply resort to installing pfSense on a cold spare appliance and test swapping it out. - Advantage is I can get all the packages and patches installed, plus update Tailscale and its keys.
4. Figure out how to set up HA with a second appliance. - Additional power consumption and learning curve.

QUESTION

1. Has anyone figure out a way to make a bootable USB flash drive with an disk image of an install to perform an emergency offline install?

If not, I guess #3 is my only other easy option.

slu

@elvisimprsntr you can install pfSense and create a image with dd or clonezilla,...

stephenw10

You can also just install 2.7.2 and upgrade to 2.8 if your WAN doesn't allow using the current net installer. The upcoming net installer does allow a lot more options there.

dark.baritone

@stephenw10 please stop offering that as a solution. That will only be a possible solution until there's an upgrade to pfSense that offers an installable solution that is not available in 2.7.2.

For example, if ZFS was not offered in 2.7.2, but was in 2.8.0, then the only way to get ZFS would be to use the inferior installer and hence would not be able to be installed offline.

And to be clear, I'm a Plus customer and also find the online installer unacceptable. I have no problem paying for software.

It would be entirely possible to have the Plus activation key, once registered on an online system, to generate a system-specific installer key that could be derived with the activation token so that an offline install could be done while verifying (without internet access) that it had previously been installed on that system. Once the system goes online, it can do a further verification to make sure nothing had been spoofed.

chrcoluk

@elvisimprsntr I think the closest one might get is install 2.8 somewhere, then make an image of the installation, recover the image as a means of a offline install.

Luckily upgrading from 2.7.2 to 2.8 was easy for me, so the upgrade path at this time isnt a large chasm. So I do think a 2.7.2 install followed by in place upgrade is still a viable way to do it.

quantum007

@stephenw10
Several customers, including myself, have raised valid concerns about requiring an internet connection for the installer. While the stated rationale—“Having a single installer for both CE and Plus reduces the test load and potential for bugs”—is understandable, it does not prevent the option of also providing a USB or ISO image, or even a tool to generate offline installation media from the net installer.

Netgate should seriously consider this feedback. Ignoring customer needs, especially from those managing large deployments, complex networks, or high-security environments, risks losing them to competitors like OPNsense, Sophos, Juniper, or Palo Alto. These are not fringe use cases—they represent significant, enterprise-level customers.

Positioning pfSense primarily for home office or SMB deployments while closing the door on broader markets to simplify internal release processes is a short-sighted strategy. Listening to your customers is not just good practice—it's essential to maintaining relevance and market share in a competitive space.

chpalmer

As a remote radio tech that goes to places that I only might have microwave backhaul with no DHCP server on the far end...

I do not like this because I now have to set up equipment that I might not have before I left the shop.. but-

I like the idea of being forced to set up my equipment in the shop before I leave and not be such a lazy ass. I have a simple lab.. why don't I use it?!?

I carry a cellular router everywhere I go.. but I don't have service everywhere I go.- (if you are truly talking about your employment here then why don't you have one?)

But I can go back to where I have service... coffee shop, truck stop.. ect.. and set up my equipment there.. if I didn't at the shop.. and explain to the accountant why I charged such a long lunch to the company account..

Hmmm pros and cons.. Yes it will take some out of their comfort zone. Yes I am sure that Netgate is taking notes. And no I do not have any problem with Netgate grabbing some user statistics to let them know how to proceed in the future.

One more pro- don't have to constantly keep up with the newest version on my memory stick.

JonathanLee

You know I wanted to chime in and say I love the Squid package. However back to this new installer topic, it's designed to be a "white glove" install, meaning you do nothing and the install configures everything while the software comes down and it is all per user contract request. It can be as customized as you want and it is set up perfectly per the spec requested every time. Look so many vendors have moved to this way of things.... look at Windows 11, and many other IT vendors for banking technology. This started many years ago, and now with the bandwidth we got today, its just gonna get worse... It is just like the dumb terminals of the 80s, that with a mix of the speed of today alongside our complex software setups that are reaching several GB in size - maybe even TB in size in the near future. Look we have got the ability to have software alongside config pushed down in a few seconds by way of today's bandwidth so why not use it. Any one of our configs could be pushed into a white box easily over and over again if we so desired. It's the future just embrace it. I don't like it either but I have experienced this change back in 2009. I use to have to carry books of software for everything while in the field once it moved to whiteglove it was so simple no one needed us anymore it was plug in and push a button. It was so easy. This is the future get use to it as to many things could go wrong with the old way of things, this is simply risk mitigation, and this is cyber security. Whitegloved config + software downloaded at a keystroke will be the future way of professional grade installs, with the config done long before it gets to any install team. Again this is for mass installs across huge networks with many remote offices. Even so they will always have a backup plan or that emergency flash drive option ...

quantum007

@JonathanLee

Most software deployments don't accompany fresh hardware installs and not all systems are allowed to touch the internet. Secure enclaves, classified environments, and sometimes just network design create areas where, once a device is installed, it is never going to see the internet again. Forcing isolated systems to require internet connections for updates is not cyber security, it is just Netgate streamlining their release process. Netgate can choose to lose those customers or support high security environments. I believe that closing the door on those markets is short-sighted, you may feel differently.

pwood999

Just to add to this, my home install was easy but did require multiple hops. 2.7.2 used static IP to my internet router, so to install 2.8 meant I have to install, and then spend time reconfiguring the WAN plus various other stuff.

The Lab at work was another story, because like others the WAN uses VLAN's which I could not see any way to configure in the installer. Online upgrade was less than ideal, so we ended up doing it all at home & then taking the box to the work lab.

Remote offices would have been a complete PITA so they are still on 2.7.2

Popolou

@pwood999 Now imagine what it is like for us in DC's.

dark.baritone

I want to be very careful here. As much as I'm very adamant that the offline installer should not have been removed. The business concern is that there are people freeloading off of the software who have ample resources to pay for it. While there are gray areas, I think we can all agree that someone like Amazon should be paying for the software they use. I think we can all also agree that if there's someone out there selling an unofficial pfSense appliance, that company should be paying for pfSense.

The problem that the pfSense team is trying to solve with the online installer is the freeloader problem described above. I think this was the wrong way to approach this, but we have to understand where they were coming from and realize that just saying "give us back the offline installer" is not productive because it doesn't solve their problem. We need to be talking in terms that supports an offline installer AND ALSO helps solve their freeloader problem.

Additionally when we use the word "customer" (someone who pays for a product) when we really mean "user", it conflates things. If everyone who used pfSense was indeed a "customer", then I don't think we would have ever ended up with an online-only installer.

revengineer

@dark-baritone Per the title of the topic, we are specifically requesting the release of an image for the CE edition. This edition is free and freeloading is allowed and perhaps encouraged. I understand that there have been issues with abuse of the plus edition, and if this needs to be protected as a consequence then so be it.

(A comment on the latter, the abuse could have been stopped by placing a one time fee on the plus version. Unfortunately, the introduction of a $100+ annual fee has put this edition out of reach for me as a home user. It may not seem much, but with so many companies fee-ing us to death with daily/monthly/annual subscriptions, one has to make choices. I considered replacing my firewall with netgate hardware, but a version that mounts into my small rack and offers the same performance as my re-used hardware is also out of my financial reach. I wish I could do better.)

Patch

@revengineer said in pfSense 2.8.0 full iso/img:

we are specifically requesting the release of an image for the CE edition. This edition is free

A desirable feature of firewall software.

Your challenge is Netgate are a for profit company with employees which would like to be paid.
For any relationship to survive long term it needs to be win - win.

So the interesting bit is how is Netgate helped by CE and how is it harmed.

• CE having a desirable feature not also available on plus would cause harm to Netgate

• Free debugging and beta testing by CE user has helped plus customers in the past. The changed development cycle has reduced this benefit over the last couple of years. In fact separate testing and release of CE may have become a net negative for Netgate.

So from a purely technical perspective adding a separate feature to CE maybe relatively straight forward (it has been done in the past). From a business perspective achieving what you would like is a very long shot on it's own imo.

jdeloach

This post is deleted!

pwood999

@Popolou Yes I know. In my case we are small innovation team with limited budget. Once projects go to production teams, they purchase their network kit with support contracts as well.

This raises another question for me, i,e; Does the latest paid for version come with offline ISO for installs ?

Popolou

@dark-baritone No, Netgate never made any correlation between moving to the net installer and the desire to workaround the "freeloaders". It was understood (heard from certain circles) that someone internal to the business took this decision without any wider consultation ostensibly for the reasons we've come to hear publicly on the forums.

If there was any genuine intention to follow community wishes, it is not technically beyond them to provide an option to build an ISO via the installer which downloads the latest version and packages it to a single image.

JonathanLee

Another potential talking point is that this approach could allow Netgate to access user bases in countries where certain software packages are restricted or unavailable. For example, Squid's ability to perform SSL interception using CA certificates is considered illegal in some countries outside the United States. By identifying the user's IP address, it may be possible to tailor or restrict software features based on the user's location, thereby enabling the creation of country-specific versions of the software at the time of download.

In my case, I encountered issues when I needed a specific older version of the software that supported the SafeXcel cryptographic accelerator. Fortunately, I still have a USB copy of that version, but looking ahead, there’s a concern: if older versions are no longer allowed or accessible, users like me won’t be able to revert to a setup that worked reliably should they need to. This could create challenges for those who depend on legacy hardware or specific features that are no longer supported in newer releases.