To do 25.07 or not?! That is the question!

mcury

@chudak Upgraded around 20 minutes ago, I still have a boot environment ready to boot in 24.11 firmware.
Upgraded from 24.11 to 25.07, upgrade took around 10 minutes on a SG-4100.

Packages installed:

(Using KEA as DHCP | Exporting netflow and logs to Graylog) <- Confirmed working.

• acme
• aws-wizard
• ipsec-profile-wizard
• Netgate_Firmware_Upgrade
• Nexus
• nmap
• nut (client, UPS is connected to another device).
• pfBlockerNG-devel (only IP feeds, DNSBL is disabled).
• Service_Watchdog
• System_Patches
• WireGuard

stephenw10

I may be biased. But I've run that upgrade many, many times on a lot of hardware and I'd recommend it!

JD 0

Just did the upgrade from 25.07RC to 25.07RELEASE.; Absolutely no issues whatsoever. On a 4200 the total downtime was < 2 mins. I say that because monitoring didn't trigger except to log the reboot itself.

Environment:
Netgate 4200
LAGG interfaces
Multiple VLANS with an IOT secure cell
Dual stack IPv4/v6 (RA managed mode with DHCPv6/DDNS)

Zermus

I'd wait. I just bricked a VM doing it from 24.11. Got 403 Forbidden soon as I pushed the upgrade button and SSH stopped working, or more accurately it would auth then immediately boot me out... and it just locked everything up for 30 minutes. I finally tried a reboot and the rc.init was all screwed up. I just reloaded from the last snapshot.

Now I have another mini PC with the same issue, no Proxmox snapshot I can backup on that one.... ugh.... I may have to rebuild that one from scratch... son of a.....:(

provels

@Zermus Same thing here on physical. Oh, well.

Gertjan

@chudak

Same thing here : SG-4100 and it really looks like 25.07 was build for it
Its up and running now for two days, all is well, nothing goes of the charts.
Captive portal clients can still connect (its high season) - no one is yelling here.

@mcury said in To do 25.07 or not?! That is the question!:

Service_Watchdog

Really ? The best known system killer out there.

It has been ages for me that processes died on me.

edit : ah, ok, Rebel Alliance - I get it ;)

mcury

@Gertjan said in To do 25.07 or not?! That is the question!:

Same thing here : SG-4100 and it really looks like 25.07 was build for it

Indeed =)

It has been ages for me that processes died on me.

In version 24.11, I had issues with the NUT service failing to start on boot. That's why the service watchdog, only for NUT.
I’ll try disabling it in this new version 25.07 to see how that goes now.

edit : ah, ok, Rebel Alliance - I get it ;)

ahahahah, nothing like fresh adrenaline in the morning

Edit:

One thing I noticed is the disk IO decreased?
iostat -x is showing now around 50, it was around 75 before, can you confirm ?

Gertjan

@mcury said in To do 25.07 or not?! That is the question!:

In version 24.11, I had issues with the NUT service failing to start on boot. That's why the service watchdog, only for NUT.
I’ll try disabling it in this new version 25.07 to see how that goes now.

Wait .....
Thanks !!
I still see that : after a upgrade-reboot and normal reboot (?) the UPS service is shown down on the dashboard. After hitting 'Save' on the Services > UPS > Settings page, it's up and running. Never actually took some time to investigate why it doesn't start on boot.
So, I could (ab)use the "service watchdog" for this .... interesting
Thanks again for the suggestion.

JD 0

I saw similar behavior in NUT several releases back (don't recall which). But it's not resurfaced since. The instance running is polling the UPS over SNMP.

Zermus

FWIW doing a "pfSense-upgrade -d" from CLI fixes this for me and does the upgrade properly. Not sure why that works and the GUI fails lol. I did have to rebuild my base packages. Here is what ChatGPT had to say about it. I had the same problem, two different locations, network providers, etc. One is in a datacenter with multiple network redundancies so I doubt it was a network issue.

1. Root cause:
   The core problem was due to an incomplete or partially failed upgrade from pfSense 24.11 to 25.07. The missing critical libraries (libmd.so.7), corrupted package repositories, and broken package signatures indicate that some part of the upgrade script was interrupted, incomplete, or encountered dependency conflicts.

2. Specific indicators of broken upgrade:
   Missing libraries (libmd.so.7) causing package operations to fail.

Missing critical files (/usr/local/sbin/read_global_var, /usr/local/libexec/pfSense-upgrade, and /etc/version) indicate that pfSense-base or core packages were only partially upgraded.

Invalid or broken repository signatures (pkg-static: Error loading trusted certificates) point to repository configuration or trust issues post-upgrade.

Dependency conflicts (IGNORE_OSVERSION prompts) clearly indicated version mismatches due to packages from different pfSense/FreeBSD versions.