Update 2.3.x without WAN access
-
Hi All
I have the same issue, I have a VM which is running pfsense 2.3 and need to update to 2.3.1 however this particular firewall is in a secure environment and has no internet access. How can I perform an offline update, as this feature seems to be removed
Thanks
-
Your only solution at the moment seems to be to create a new VM with exactly the same parameters (nics, networks etc) as the old one, install fresh from an ISO, create a backup config from the old one, power it off, power on the new one and restore the config.
Beware that the new VM will have new virtual MAC addresses on each nic, you may want to copy the MAC addresses from the old VM, or better spoof the MAC addresses within pfSense's configuration first on the old machine, so that they will go along with the config to the new one…
-
Thanks for the response Robi.
This is definitely not the most logical way to perform an upgrade.
I do hope that pFsense adds this feature back in, like it was in previous versions.
-
create a new VM with exactly the same parameters (nics, networks etc) as the old one
You can avoid that by:
- take a snapshot of the real VM
- save the config
- put a copy of the snapshot somewhere that has internet access
- do whatever it takes to actually get the snapshot internet access (e.g. switch its WAN to DHCP or…)
- do the upgrade on the snapshot from the internet
- restore the previous config back to the snapshot
- copy the upgraded snapshot back off the internet, back in place of the old version VM that was running.
-
Hi Phil,
as much as I appreciate your answer it isn't working. As I've already been told in many posts and direct conversations, pfSense is used in situations where there is NO possible WAN connectivity. Period. It's not that we aren't trying hard enough to get it there but a matter of various approaches like policies that do forbid direct connects or other hurdles. So if it is possible at all to create some thing like a small pfSense mirror, that could provide upgrade files to internal systems or simply a matter of using a live-medium to update the installation, that would be the solution to that problem. If we could e.g. fire up the USB/ISO version for let's say 2.3.2 and put it into a system running 2.3 and update it that way, that would be fine, too.
Just a way to update without having an up and running WAN connection would be enough for those systems. Reinstalling isn't a viable solution in many of those cases.
Greets
-
I'm all in.
Facing this problem with at least half a dozen installs of mine. All islands (control network of banks, insurance companies, etc.) -
@JeGr and others, yes I understand that there are situations where policy/security means that you are not allowed to connect the router to the public internet by any means at all (baks, defence…). Router software needs to be got in some controlled way, either a fully-built set of software from some trusted place, or the source code (again from a trusted place) and build it yourself. And then that authorized software can be taken into the internal network and applied to the devices.
For that there really does need to be either an upgrade file (like there used to be), or some (relatively easy) way to bundle up the whole upgrade package server environment so that it can be moved into an internal network as needed and used there to serve upgrades to internal devices.
-
So I assume there's nothing in place for interested parties to mirror the official update repo into their infrastructure? Would there be a manual way or is that completely out of the ballpark and another solution is preferred?
-
Isn't there an upgrade image you can download on the main pfsense download page?
-
Isn't there an upgrade image you can download on the main pfsense download page?
There we go:
Does this upgrade image not do what I think it does?
-
That image is used on a "less than 2.3" system (1., 2.1., 2.2.) to upgrade to 2.3..
Once you get to 2.3., then there is no longer any way to use that to apply further upgrades.
And once 2.4 comes out, that upgrade image will no longer be even made. If you want to upgrade "manually" from (e.g.) 2.2. you will be able to use the last 2.3.* upgrade image. Then to get to 2.4 you will have to do it online. -
Hi Phil,
as much as I appreciate your answer it isn't working. As I've already been told in many posts and direct conversations, pfSense is used in situations where there is NO possible WAN connectivity. Period. It's not that we aren't trying hard enough to get it there but a matter of various approaches like policies that do forbid direct connects or other hurdles. So if it is possible at all to create some thing like a small pfSense mirror, that could provide upgrade files to internal systems or simply a matter of using a live-medium to update the installation, that would be the solution to that problem. If we could e.g. fire up the USB/ISO version for let's say 2.3.2 and put it into a system running 2.3 and update it that way, that would be fine, too.
Just a way to update without having an up and running WAN connection would be enough for those systems. Reinstalling isn't a viable solution in many of those cases.
Greets
+1 for that
-
And once 2.4 comes out, that upgrade image will no longer be even made. If you want to upgrade "manually" from (e.g.) 2.2.* you will be able to use the last 2.3.* upgrade image. Then to get to 2.4 you will have to do it online.
Why?
I don't see any benefit except for ESF being able to control who can get which image.
What's wrong about having an upgrade or install stick to service existing installs or building a small system on the fly if need be?
Sorry, this direction just doesn't feel right and seems unnecessary. -
And once 2.4 comes out, that upgrade image will no longer be even made. If you want to upgrade "manually" from (e.g.) 2.2.* you will be able to use the last 2.3.* upgrade image. Then to get to 2.4 you will have to do it online.
Why?
I don't see any benefit except for ESF being able to control who can get which image.
What's wrong about having an upgrade or install stick to service existing installs or building a small system on the fly if need be?
Sorry, this direction just doesn't feel right and seems unnecessary.This commit:
Stop building full update images, users will need to reach 2.3 first and then go to newer versions
https://github.com/pfsense/pfsense/commit/099570f2b28898f5f2d8c725c92add860fabfa0f
I believe is where the implementation of the above starts.
I have nothing to do with setting the policy or roadmap, I am just reporting what is happening in the GitHub repo(s).Can someone from ESF point us to an official "roadmap" or other announcement that has the proper details of the plan going forward, particularly for what install images, upgrade images and upgrade methods will be available from what version…?
-
I have nothing to do with setting the policy or roadmap, I am just reporting what is happening in the GitHub repo(s).
I am absolutely aware of that. Thanks!
