pfSense 2.8.0 full iso/img

JonathanLee

Another potential talking point is that this approach could allow Netgate to access user bases in countries where certain software packages are restricted or unavailable. For example, Squid's ability to perform SSL interception using CA certificates is considered illegal in some countries outside the United States. By identifying the user's IP address, it may be possible to tailor or restrict software features based on the user's location, thereby enabling the creation of country-specific versions of the software at the time of download.

In my case, I encountered issues when I needed a specific older version of the software that supported the SafeXcel cryptographic accelerator. Fortunately, I still have a USB copy of that version, but looking ahead, there’s a concern: if older versions are no longer allowed or accessible, users like me won’t be able to revert to a setup that worked reliably should they need to. This could create challenges for those who depend on legacy hardware or specific features that are no longer supported in newer releases.

Popolou

@pwood999 said in pfSense 2.8.0 full iso/img:

This raises another question for me, i,e; Does the latest paid for version come with offline ISO for installs ?

No, they all use the net installer now by design.

scottjh1

Previously I used Sophos UTM9. In order to get the ISO you were required to register with Sophos, receiving a license key. For home users it was free as is Pfsense CE. The software would work for 30 days absent of installing the key. If a license was not applied it would become unusable. I believe Pfsense/Netgate should consider a similar option. My reasoning is the user now has a full off line install eliminating the security issues of a online install. Additionally Netgate and is able to track how many devices the software is installed on under a free license. Building on this model would open the door to determine if Pfsense CE is being used in commercial installations where a paid license should have been purchased. The question of security comes up when putting a home device on the internet with no protection while doing a remote install. What level of protection is given to the box as it is installing? The model indicates none. Many users may not have a a second router to put in front of the the device while the install is underway. Personally I would not even consider directly connecting any device to the internet without a firewall to protect it.

revengineer

pfSense CE is based on an open source project and thought that this would come come some moral obligations. I understand that it may not be a legal obligation to offer a stand-alone installer, and I assume that the source code is public tot he degree required. I no longer pay attention to this as the source has never been in a form where it could be compiled by a user.

joshgreyz

@quantum007 said in pfSense 2.8.0 full iso/img:

The move to a unified installer I can understand a bit, but the lack of offline install support is a bad move by Netgate. With this single decision Netgate has chosen to almost completely eliminate themselves as a option for every non-internet connected, high security, or classified system around the globe. I highly suggest Netgate reconsider releasing offline install packages.

This sums it all up nicely

scottjh1

I concur, and believe this is direct result of bad actors selling/shipping devices with Pfsense CE installed in the past. Pfsense/Netgate was forced to protect their interests and business model. However the fact remains current install methodology appears to need some tuning. Your are correct concerning secure instalations, no iso retreating clients.

KOM

Everyone here is wasting their time complaining. The writing has been on the wall for months now (some would say years.) If you really need an ISO installer, you're either going to have to carry around 2.7.2 and then bootstrap it to current, or investigate your other OPtioNs.

I'm just now starting to play with an alternative at home. I never thought I would be in this position and yet here I am. Once I'm comfortable with it, I'll start ripping & replacing at work.

pwood999

Recently done four of them. Two upgrades from 2.7.2 and two net installed. All went ok & reinstalled packages after.

I agree an iso would be useful but I’ve managed without.

Next one will be an ESXI vm, so will try both methods on that.

ryan87

I've run into my first couple of issues caused by this over the last week.

We had a firewall fail at a site that has site-to-site VPNs with two other sites. It hadn't been upgraded to 2.8.0 yet because we need to schedule an update for all 3 sites at the same time to ensure we don't run into OpenVPN (or other compatibility) issues. It was ok this time because everything was still 2.7.2, so 5 minutes onsite and everything was back up.

Is the online installer going to work in a scenario like that if I need to install a specific older version until we can coordinate an update of multiple related sites?

The next issue I'm going to have is an update to a firewall on the weekend. Someone will be onsite doing other work, so we'd normally plan a firewall update at the same time. I'll prep it on a spare and once someone is onsite they'll install install 2.7.2 and load the new config.

We use dynamic dns with low TTLs for people that don't have static IPs, so if I load 2.7.2, connect it to the internet, and update to 2.8.0, I'm going to break things for the live site. Of course I can disable DynDNS updates before connecting to the internet to update to 2.8.0, but I'm not impressed with the idea that we have to start jumping through a bunch of hoops that make my life harder for us so things can be easier for Netgate.

That's also ignoring the fact that someone onsite is going to have to waste time with an online update to 2.8.0 after the old reload and restore procedure is done. These are visible things that people notice and I have to explain why it's taking longer and getting more expensive.

I'm going to mention again, we're only buying official Netgate hardware at this point and that's what we're telling all of our customers to buy. The CE stuff is getting phased out for us, but I don't like getting kneecapped before we consider those device EoL.

I'm extra annoyed today because I need to explain to my boss why they need to allocate 30 minutes for an update job that usually takes 5 minutes.

stephenw10

@ryan87 said in pfSense 2.8.0 full iso/img:

Is the online installer going to work in a scenario like that if I need to install a specific older version

Yes. Currently the installer will install 2.7.2, 2.8.0 and 2.8.1-Beta. As well as Plus if eligible.

Is there some reason you can't use the Net Installer at those sites?

Consider adding the config during the install to save time.

coxhaus

@dark-baritone Yes I just upgraded to 2.8 yesterday at my home. My plus version had expired so I installed using a USB 2.6 version. It was a pain. The 10 gig drivers were giving me an issue and no ZFS. Plus my desktop keyboard for settting up the GUI the N key stopped working. It took me a little bit to figure it out using the old BSD code 12.x. It was a combinations of things, how easily we forget how the new technology we are using did not exist in the past. I manged to upgrade to 2.7 then 2.7.2 and then 2.8. The subnet firewall rules caught me for a little bit in 2.8 when my routed networks had no internet access. I use a Cisco layer 3 switch for my vlans. Subnet is particular to pfsense and I had no vlans defined to pfsense. Duh!

Now that it is running I am very happy with it. My gateway response times are sub millisecond now. To both AT&T and my Cisco L3 switch. pfsense 2.8 is great in my way of thinking. Good job.

ryan87

@stephenw10 said in pfSense 2.8.0 full iso/img:

@ryan87 said in pfSense 2.8.0 full iso/img:

Is the online installer going to work in a scenario like that if I need to install a specific older version

Yes. Currently the installer will install 2.7.2, 2.8.0 and 2.8.1-Beta. As well as Plus if eligible.

Is there some reason you can't use the Net Installer at those sites?

Consider adding the config during the install to save time.

That's great we'll be able to get a previous version from the online installer. Adding the config to the installer to save some time will help.

There's no show-stopping reason we can't use the online installer, but we'll have to change how we do things a bit to accommodate.

As an example, the config I'll prep for the weekend is a job that will require some rack cleanup. Normally with a couple of people one of them can update the firewall in the amount of time it takes to clean up things around ISP equipment. We usually just shut the whole thing down for a short time and it's nice to do that work in parallel.

To be honest, I'm more frustrated than I should be about it because I like setting things up to be as efficient as possible and working through a new process to get things running smoothly again is going to mean a little bit more time onsite for the next couple of installs.

I took a break and, now that I've thought about it more, I think a USB-C to ethernet adapter plugged into a phone resolves most of the scenarios that are an annoyance for us; disconnected ISP equipment, slow internet, static WAN IPs, etc..

Thank you for replying and my apologies for replying to this thread without taking a break to think things though a bit better before complaining. I supposed I could use a nap today.

coxhaus

@revengineer Personally I don't care whether the source code is open source. I think it is a bad idea to give it away.

revengineer

@coxhaus I no longer care either because the source code does not seem compilable for the average use. I used to have fun with compiling many years ago as a former smoothwall user.

While it may be preferable not to give the source away, the fact that pfsense if forked from an open source project (monowall) two decades ago may still require this. (I am not a legal expert on open source licensing.)

To bring this back to the title of the topic, this is solely about the release of an iso of the full compiled v2.8.0 for direct installs, not asking for anything more.

elvisimprsntr

@stephenw10

Scenario is someone has an appliance that fails. Hypothetically, said appliance fails from excessive flash writes. Now internet access is down, and likely local LAN since DHCP/DNS is also running on said appliance.

So how in gods name is someone able to:

1. Download said net installer?
2. Retrieve a backup config to put on the installer USB thumb drive?
3. Run said net installer to get internet back up and running?

This applies to both Netgate and third party appliances.

chpalmer

So how in gods name is someone able to:

1. Download said net installer?
2. Retrieve a backup config to put on the installer USB thumb drive?
3. Run said net installer to get internet back up and running?

This applies to both Netgate and third party appliances.

So then also applies to-

So how in gods name is someone able to:

1. Download the Full ISO?
2. Retrieve a backup config to put on the installer USB thumb drive?
3. Run ISO to get internet back up and running?

If you are the IT guy for a business then if you are competent you would already have a copy of the Net Installer in your desk drawer. You would already have copies of your backups on your company laptop/desktop ect.. but could go get those from the backup service anyways.. If you are not a business then this is just good practice to learn.

Keeping up with the Net Installer seems easier than updating your copy of the ISO every time a new release comes out as the installer will see less updates IMHO.

The Net Installer will always download the latest files for an install.

You do not need the backup to be on the thumb drive when installing. It is helpful but not necessary.

The only real argument for a full installer I can see so far is that if the target servers go down at the time someone is trying to do an install then they would be SOL for the time it takes for those servers to come back up. Id tell my family to read a book meanwhile if this was for the home.

elvisimprsntr

@chpalmer

You didn’t answer how the net installer will install the packages when the internet is down because said appliance is failed.

Patch

@elvisimprsntr I believe it is intended the net installer will be able to load a pfsense configuration file and use it’s wan interface definition.

elvisimprsntr

@Patch

Which still does not address my scenario.

My ATT gateway is in passthrough mode and forwarding my WAN IP to a fixed MAC.

So if my pfsense firewall appliance breaks, while I can connect the WAN port of the replacement appliance to the ATT gateway, I do not believe I will have internet access until I can log into the gateway and updated the fixed MAC.

stephenw10

That's true. Currently the installer is only configurable to a subset of WAN connection types. The new installer version will support more types but there will always be some edge cases that it can't support.

One thing we are looking at though is using the WAN config from an imported config. That should allow more obscure config scenarios.