pfSense 2.8.0 full iso/img
-
pfSense CE is based on an open source project and thought that this would come come some moral obligations. I understand that it may not be a legal obligation to offer a stand-alone installer, and I assume that the source code is public tot he degree required. I no longer pay attention to this as the source has never been in a form where it could be compiled by a user.
-
@quantum007 said in pfSense 2.8.0 full iso/img:
The move to a unified installer I can understand a bit, but the lack of offline install support is a bad move by Netgate. With this single decision Netgate has chosen to almost completely eliminate themselves as a option for every non-internet connected, high security, or classified system around the globe. I highly suggest Netgate reconsider releasing offline install packages.
This sums it all up nicely
-
I concur, and believe this is direct result of bad actors selling/shipping devices with Pfsense CE installed in the past. Pfsense/Netgate was forced to protect their interests and business model. However the fact remains current install methodology appears to need some tuning. Your are correct concerning secure instalations, no iso retreating clients.
-
Everyone here is wasting their time complaining. The writing has been on the wall for months now (some would say years.) If you really need an ISO installer, you're either going to have to carry around 2.7.2 and then bootstrap it to current, or investigate your other OPtioNs.
I'm just now starting to play with an alternative at home. I never thought I would be in this position and yet here I am. Once I'm comfortable with it, I'll start ripping & replacing at work.
-
Recently done four of them. Two upgrades from 2.7.2 and two net installed. All went ok & reinstalled packages after.
I agree an iso would be useful but I’ve managed without.
Next one will be an ESXI vm, so will try both methods on that.
-
I've run into my first couple of issues caused by this over the last week.
We had a firewall fail at a site that has site-to-site VPNs with two other sites. It hadn't been upgraded to 2.8.0 yet because we need to schedule an update for all 3 sites at the same time to ensure we don't run into OpenVPN (or other compatibility) issues. It was ok this time because everything was still 2.7.2, so 5 minutes onsite and everything was back up.
Is the online installer going to work in a scenario like that if I need to install a specific older version until we can coordinate an update of multiple related sites?
The next issue I'm going to have is an update to a firewall on the weekend. Someone will be onsite doing other work, so we'd normally plan a firewall update at the same time. I'll prep it on a spare and once someone is onsite they'll install install 2.7.2 and load the new config.
We use dynamic dns with low TTLs for people that don't have static IPs, so if I load 2.7.2, connect it to the internet, and update to 2.8.0, I'm going to break things for the live site. Of course I can disable DynDNS updates before connecting to the internet to update to 2.8.0, but I'm not impressed with the idea that we have to start jumping through a bunch of hoops that make my life harder for us so things can be easier for Netgate.
That's also ignoring the fact that someone onsite is going to have to waste time with an online update to 2.8.0 after the old reload and restore procedure is done. These are visible things that people notice and I have to explain why it's taking longer and getting more expensive.
I'm going to mention again, we're only buying official Netgate hardware at this point and that's what we're telling all of our customers to buy. The CE stuff is getting phased out for us, but I don't like getting kneecapped before we consider those device EoL.
I'm extra annoyed today because I need to explain to my boss why they need to allocate 30 minutes for an update job that usually takes 5 minutes.
-
@ryan87 said in pfSense 2.8.0 full iso/img:
Is the online installer going to work in a scenario like that if I need to install a specific older version
Yes. Currently the installer will install 2.7.2, 2.8.0 and 2.8.1-Beta. As well as Plus if eligible.
Is there some reason you can't use the Net Installer at those sites?
Consider adding the config during the install to save time.
-
@dark-baritone Yes I just upgraded to 2.8 yesterday at my home. My plus version had expired so I installed using a USB 2.6 version. It was a pain. The 10 gig drivers were giving me an issue and no ZFS. Plus my desktop keyboard for settting up the GUI the N key stopped working. It took me a little bit to figure it out using the old BSD code 12.x. It was a combinations of things, how easily we forget how the new technology we are using did not exist in the past. I manged to upgrade to 2.7 then 2.7.2 and then 2.8. The subnet firewall rules caught me for a little bit in 2.8 when my routed networks had no internet access. I use a Cisco layer 3 switch for my vlans. Subnet is particular to pfsense and I had no vlans defined to pfsense. Duh!
Now that it is running I am very happy with it. My gateway response times are sub millisecond now. To both AT&T and my Cisco L3 switch. pfsense 2.8 is great in my way of thinking. Good job.
-
@stephenw10 said in pfSense 2.8.0 full iso/img:
@ryan87 said in pfSense 2.8.0 full iso/img:
Is the online installer going to work in a scenario like that if I need to install a specific older version
Yes. Currently the installer will install 2.7.2, 2.8.0 and 2.8.1-Beta. As well as Plus if eligible.
Is there some reason you can't use the Net Installer at those sites?
Consider adding the config during the install to save time.
That's great we'll be able to get a previous version from the online installer. Adding the config to the installer to save some time will help.
There's no show-stopping reason we can't use the online installer, but we'll have to change how we do things a bit to accommodate.
As an example, the config I'll prep for the weekend is a job that will require some rack cleanup. Normally with a couple of people one of them can update the firewall in the amount of time it takes to clean up things around ISP equipment. We usually just shut the whole thing down for a short time and it's nice to do that work in parallel.
To be honest, I'm more frustrated than I should be about it because I like setting things up to be as efficient as possible and working through a new process to get things running smoothly again is going to mean a little bit more time onsite for the next couple of installs.
I took a break and, now that I've thought about it more, I think a USB-C to ethernet adapter plugged into a phone resolves most of the scenarios that are an annoyance for us; disconnected ISP equipment, slow internet, static WAN IPs, etc..
Thank you for replying and my apologies for replying to this thread without taking a break to think things though a bit better before complaining. I supposed I could use a nap today.
-
@revengineer Personally I don't care whether the source code is open source. I think it is a bad idea to give it away.
-
@coxhaus I no longer care either because the source code does not seem compilable for the average use. I used to have fun with compiling many years ago as a former smoothwall user.
While it may be preferable not to give the source away, the fact that pfsense if forked from an open source project (monowall) two decades ago may still require this. (I am not a legal expert on open source licensing.)
To bring this back to the title of the topic, this is solely about the release of an iso of the full compiled v2.8.0 for direct installs, not asking for anything more.
-
Scenario is someone has an appliance that fails. Hypothetically, said appliance fails from excessive flash writes. Now internet access is down, and likely local LAN since DHCP/DNS is also running on said appliance.
So how in gods name is someone able to:
- Download said net installer?
- Retrieve a backup config to put on the installer USB thumb drive?
- Run said net installer to get internet back up and running?
This applies to both Netgate and third party appliances.
-
So how in gods name is someone able to:
- Download said net installer?
- Retrieve a backup config to put on the installer USB thumb drive?
- Run said net installer to get internet back up and running?
This applies to both Netgate and third party appliances.
So then also applies to-
So how in gods name is someone able to:
- Download the Full ISO?
- Retrieve a backup config to put on the installer USB thumb drive?
- Run ISO to get internet back up and running?
If you are the IT guy for a business then if you are competent you would already have a copy of the Net Installer in your desk drawer. You would already have copies of your backups on your company laptop/desktop ect.. but could go get those from the backup service anyways.. If you are not a business then this is just good practice to learn.
Keeping up with the Net Installer seems easier than updating your copy of the ISO every time a new release comes out as the installer will see less updates IMHO.
The Net Installer will always download the latest files for an install.
You do not need the backup to be on the thumb drive when installing. It is helpful but not necessary.
The only real argument for a full installer I can see so far is that if the target servers go down at the time someone is trying to do an install then they would be SOL for the time it takes for those servers to come back up. Id tell my family to read a book meanwhile if this was for the home.
-
You didn’t answer how the net installer will install the packages when the internet is down because said appliance is failed.
-
@elvisimprsntr I believe it is intended the net installer will be able to load a pfsense configuration file and use it’s wan interface definition.
-
Which still does not address my scenario.
My ATT gateway is in passthrough mode and forwarding my WAN IP to a fixed MAC.
So if my pfsense firewall appliance breaks, while I can connect the WAN port of the replacement appliance to the ATT gateway, I do not believe I will have internet access until I can log into the gateway and updated the fixed MAC.
-
That's true. Currently the installer is only configurable to a subset of WAN connection types. The new installer version will support more types but there will always be some edge cases that it can't support.
One thing we are looking at though is using the WAN config from an imported config. That should allow more obscure config scenarios.
-
@elvisimprsntr said in pfSense 2.8.0 full iso/img:
while I can connect the WAN port of the replacement appliance to the ATT gateway, I do not believe I will have internet access until I can log into the gateway and updated the fixed MAC.My guess is that you would still have some kind of access to the configuration page of the AT&T device to make changes.. (I could be wrong) Ive never seen an ISP supplied device that did not at least give you that if it had any kind of GUI.
I see no reason that you have to have a specific package installed before you get online. But I could be wrong.. just ask my wife.. ; Post what package that is if you do... it might be able to be defaulted into the installer should Netgate decide to. They wont know unless it is brought up with them.
But assuming you do need that- Your phone most likely has a hot spot mode. Amazon sells an Ethernet bridge that will let you utilize that or even your neighbors WIFI (with their permission of coarse) to build your system. Great tool just to have in the drawer.. just in case.
I'm not choosing sides pro or con on this installer decision.. but I seen no compelling argument as of yet as to fully support doing a full installer with what is available now.
Again this is just my observation and opinion.
The last box I set up was for a friend and was done at his house via my cell router I took with me. Kinda case in point..
-
@chpalmer said in pfSense 2.8.0 full iso/img:
My guess is that you would still have some kind of access to the configuration page of the AT&T device to make changes..
I have already run into no internet access when upgrading my appliance. No internet access until I update the fixed MAC in the gateway.
@chpalmer said in pfSense 2.8.0 full iso/img:
The last box I set up was for a friend and was done at his house via my cell router I took with me. Kinda case in point..
Exactly my point. Because there is no longer an off line installer, I now have to jump through multiple hoops to get my internet back up and running.
I would likely have to use my cell phone hot spot, connect a wired LAN connect to a USB Ethernet adapter, configure the the wired LAN to route through the hotspot in order to download and run the latest net installer.
Or my other option is to use my already prepared 2.7.2 off line installer with a recent config backup on it, then upgrade in place after placing it in service. Once I upgrade to 2.8.0+, I will no longer be able to use a config backup form 2.8.0+ on 2.7.2.
While I can plan for all the scenarios and options for my home network, I feel bad for the people running pfSense in an enterprise or at remote sites who now have no off line installer.
-
@elvisimprsntr said in pfSense 2.8.0 full iso/img:
I feel bad for the people running pfSense in an enterprise or at remote sites who now have no off line installer.
LOL.. I'm both. I am a remote site radio tech for a corporation and go up to those red lights up on top of the hill similar to what you might have seen before.. I posted that scenario some weeks ago up above. Sometimes there is no cellular coverage up at those sites and sometimes there is. I just have to prepare a little differently. Those are the kind of place that you pack lunch and dinner.. just in case.
This is all definitely good input for the Netgate team.
