Upgrading pfSense 21.05 to 23.01

stemid

I only use pfSense Firewall, NAT, interfaces, dhcp and port forwarding features. Nothing advanced like IDS, or even VPN.

Just wondering if it's safe to upgrade directly to 23.01?

Also in case the system becomes inaccessible, is there a guide for local troubleshooting? Or some docs for the local console?

And where can I download the 21.05 USB image in case there is no boot?

I will of course make a backup but I want to prepare as well as possible.

patient0

@stemid said in Upgrading pfSense 21.05 to 23.01:

Just wondering if it's safe to upgrade directly to 23.01?

Even the version you want to upgrde to, is really old, are you sure that you want to run the device that protects you from the internet with a version that is 2 1/2 years old?

Also in case the system becomes inaccessible, is there a guide for local troubleshooting?

To get recovery images that old you will have to open a support tickets: https://www.netgate.com/tac-support-request

Troubleshooting help: you'll find lots of helpful information uner Netgate doc: Troubleshooting.

Or some docs for the local console?

Depends on your device, if it's a Netgate device you will find information about the serial console access on the device page:
https://docs.netgate.com/pfsense/en/latest/solutions/

stemid

@patient0 Ok so it's a good idea I investigated this first.

So in other words what do you recommend then? Should I buy a new device with a later version of pfSense and reconfigure all our interfaces and firewall rules to make a quick replacement?

patient0

@stemid said in Upgrading pfSense 21.05 to 23.01:

Should I buy a new device with a later version of pfSense

You don't have to buy a new device, depending on what device you got, it's stil good. What device have you got?

You would backup the configuration, download the Netgate online installer (in Netgate store, for $0) and completely reinstall pfSense+ (using ZFS as file system), then restore the config you backup-ed.

stemid

@patient0 It's a Netgate XG-7100 and I'm sure it's good but I was thinking more of doing an upgrade with as little interruption as possible. So therefore I think configuring a new device and just replacing the old one with it might be the way to go here.

I was afraid the backup could not be restored to a later version of pfSense. But you're saying it can then.

patient0

@stemid said in Upgrading pfSense 21.05 to 23.01:

I was afraid the backup could not be restored to a later version of pfSense. But you're saying it can then

Yes, backups from older version can be restored to newer version. The other way round is not guaranteed to work.

SteveITS

@stemid In general Netgate recommends reinstalling if skipping many versions. This would for instance get you ZFS if you don't already have it.

If you upgrade it will normally work but you will need to go in stages. IIRC from a recent client who was out of date, one must go to 23.01, 23.09, 23.09.1, then 24.11. Maybe another step or two, I don't recall offhand.

After ~23.09 you'll need to change the update branch to the new version in order to see the new update.

I'd recommend following the upgrade guide and uninstalling packages before the upgrade chain. (then reinstall at the end, settings are saved by default)

stephenw10

Yes, I would re-install 25.07.1 clean from something that old. You can upgrade but it takes ages with the required steps.

stemid

@patient0 You keep mentioning ZFS, is that a big advantage? I'm assuming you refer to snapshots, being able to rollback to a previous snapshot for future upgrades?

patient0

@stemid said in Upgrading pfSense 21.05 to 23.01:

You keep mentioning ZFS, is that a big advantage? I'm assuming you refer to snapshots, being able to rollback to a previous snapshot for future upgrades?

Yep, that's it. The snapshot feature makes it just very easy to recover to the previous snapshot if something goes t*ts up.
Even if you make config changes that could lead to issues a snapshot is helpful. Beside choosing the snapshot to boot from in the GUI, you can do that from the boot menu too.

Of course having a second device (HA or just as a cold standby) is even better.

You mentioned that you have a XG-7100. If it runs from the build-in 32GB eMMC then you have to be aware that ZFS writes a lot more then UFS and it will wear out the eMMC fast. Installing a M.2 would be recommended in that case (check 7100-U M.2 SATA Installation documentation).

stephenw10

ZFS is also a lot more resilient to filesystem issues than UFS. So if you see frequent power outages it's a much better choice.

But, yes, it does write more to the drive. Though the default values in 25.07 reduce that significantly. You can mitigate it almost entirely by running RAM disks too.