pfSense 2.4.5 Now Available

chudak

@dennis_s

We some problems reported by early adapters of 2.4.5 release, do you plan to release hot-fixes soon to people who is still waiting and not updating?

Thx

hmh

@chudak move to TNSR :-)

Grapeape22

UEFI does not work

Grapeape22

@Grapeape22 said in pfSense 2.4.5 Now Available:

UEFI does not work

On the Think server ts140

chudak

Version check says 'Unable to check for updates' - message now, maybe new version is coming up?

johnpoz

I updated 4 Days 05 Hours 47 Minutes 35 Seconds ago, with the following packages installed with the only issue that I have discovered is I had to click the update graphs in the traffic totals package.

chudak

Again update is not available ATM

https://imgur.com/a/gw9hQOW

johnpoz

Yes it is

You have a dns or connectivity issue most likely

https://docs.netgate.com/pfsense/en/latest/install/upgrade-troubleshooting.html

do a
pkg-static update -f

what does it say?

chudak

@johnpoz said in pfSense 2.4.5 Now Available:

pkg-static update

This is first time I see this issue and I have not changed anything.
Why now ?

[2.4.4-RELEASE][admin@pfsense.wawona.lan]/root: pkg-static update -f
Updating pfSense-core repository catalogue...
Fetching meta.txz: 100% 944 B 0.9kB/s 00:01
Fetching packagesite.txz: 100% 2 KiB 1.7kB/s 00:01
Processing entries: 100%
pfSense-core repository update completed. 7 packages processed.
Updating pfSense repository catalogue...
Fetching meta.txz: 100% 944 B 0.9kB/s 00:01
Fetching packagesite.txz: 100% 141 KiB 144.4kB/s 00:01
Processing entries: 0%
Newer FreeBSD version for package xe-guest-utilities:
To ignore this error set IGNORE_OSVERSION=yes

• package: 1103504
• running kernel: 1102000
  Ignore the mismatch and continue? [Y/n]:

chudak

I updated pfBlockerNG-devel to 2.2.5_30 only .

Maybe that's the reason. I am still on 2.4.4

cc: @BBcan177

Gertjan

The golden rule is :

Update first pfSense, if an update is available (not RC).
Then the packages ....

There is an update to pfSense, 2.4.5 - that should be done first.
Only then you can continue upgrading packages.

If not ......

t41k2m3

@johnpoz said in pfSense 2.4.5 Now Available:

I updated 4 Days 05 Hours 47 Minutes 35 Seconds ago, with the following packages installed with the only issue that I have discovered is I had to click the update graphs in the traffic totals package.

@johnpoz noticed you are running pfBlockerNG-devel, would you mind posting your settings? Assuming you have not seen any of the issues reported in the topic below post upgrade to 2.4.5 -- that some have traced back to pfBlockerNG, unbound, pfctl or some combo thereof -- your setup may help provide workarounds for some (especially if running on netgate or other bare-metal servers).

https://forum.netgate.com/topic/151690/increased-memory-and-cpu-spikes-causing-latency-outage-with-2-4-5/

chudak

@t41k2m3
@johnpoz

Some people are not so lucky :( see https://forum.netgate.com/topic/151930/error-failed-opening-required-net-ipv6-php-help

johnpoz

I only use pfblocker for the geoip aliases - I don't have it doing any rules or anything. It just maintains the aliases that I then use in my own rules. And only then for allowing specific access to my forwards. My settings would not be in line with how most people use it..

I use it to limit access to my plex to the countries that my users are in, and allow access to my vpn to only US, that sort of thing.

BTW - not suggesting that anyone just click upgrade.. You should follow the guide for sure.. But I wouldn't have any issues if it completely blew up either. I have backup of my config, I have image to do a clean install. And my setup overall isn't all that complicated.. Plus have 10+ years of running pfsense - so I am pretty sure if it took a dive I wouldn't have any issues to get my home network up and running in a few minutes. Worse case I do have a spare USGp3 box I could fire up if the hardware decided to take a dump during the process.. You always need to have plans in place when doing any sort of upgrade to this sort of equipment - things always seem to go wrong at the worse times.. So you have to plan for them!

That is why I just did click without removing all the packages, etc. If you are not at this same comfort and skill level, then for sure you should follow best practice upgrade..

I am also right next to the box, and its only a home network - not production.. So even if was down for extended period.. Worse case is wife wouldn't be able to use the internet, and friends and family wouldn't be able to access my plex server ;)

I am not going to update any of the work netgate boxes until we get back to the office, even though right now would be a good time since nobody is there.. But if they had some sort of an issue, they would be down for quite some time - and when people do start going into the offices, which might before I do, etc. they would be down. So yeah those can wait.

chudak

@Gertjan said in pfSense 2.4.5 Now Available:

The golden rule is :

Update first pfSense, if an update is available (not RC).
Then the packages ....

There is an update to pfSense, 2.4.5 - that should be done first.
Only then you can continue upgrading packages.

If not ......

I think Package Manager should even allow update packages meant for new version. Then we would not have any of these issues!

johnpoz

So you will have a pull request later to day for that I take it?
https://docs.netgate.com/pfsense/en/latest/development/submitting-a-pull-request-via-github.html

t41k2m3

@johnpoz said in pfSense 2.4.5 Now Available:

I only use pfblocker for the geoip aliases - I don't have it doing any rules or anything. It just maintains the aliases that I then use in my own rules. And only then for allowing specific access to my forwards. My settings would not be in line with how most people use it..

I use it to limit access to my plex to the countries that my users are in, and allow access to my vpn to only US, that sort of thing.

That type of use may explain what's happening in some cases where spikes seem to happen due to unbound and (presumably) a large DNSBL entries file. Which you wouldn't have, so it does not impact unbound. Anyway, fortunately, not as affected as others have been and could downgrade pretty easily if it came to that. Right now though, still trying to figure out if there may be any fix short of downgrading available or coming. The point was made and would seem sensible, that pkg should not be switched to pull data from a new version prior to an actual update (happened to me too which sort of forced the matter of the upgrade).

Gertjan

@chudak said in pfSense 2.4.5 Now Available:

I think Package Manager should even allow update packages meant for new version. Then we would not have any of these issues!

Very true.
But ... pfSense is just pfSense. Packages are nice addons but mostly written and maintained by guys like you and me.
I me and you will not (like never) want to deal with version management. That means you have to support the guys that use the older versions of pfSense, with the bug and issues from back then and the new issues that just came up. That will mean : problem solved because no more packages.
It might work out for a $$$$ environment.
Also : pfSense has to support the "where to get my updates" - you do remember that Netgate is doing this all for close to free so they decide what is needed - what should be done.

chudak

@Gertjan

In my case I was trying to be very careful, but did not see that system has a new version available and simply updated some packages - and there problems started !

I think this can be avoided not by forcing package developers to change anything, but simply by displaying some warning messages in the pfsense UI

Look at how many people having troubles ?!

Hope you agree.

Thx

Gertjan

@chudak said in pfSense 2.4.5 Now Available:

Look at how many people having troubles ?!

No way.
Count the people that still have problems copying an iPhone to a new iPhone. That will always last. Although it's a finger in the nose trick these days.

The pfSense upgrade procedure has been guided, documented and explained - with every major version update, for several years now.
Issues are not possible, because pfSense is a close-to-industrial firewall. They do not oblige you to write out that big cheque like Cisco to have it dealt with, or send one of the employees to a new training to handle the update. pfSense makes it easy : they only ask one thing : being able to read. There is no place to mess up : no one will install a new version on a system will taking down the companies or their private Internet access. For a couple of $$ you have a backup system (an old PC will do) - so the upgrade is two phase. Permits you to fast compare, check. There is a free support forum and redit and the manual and the main Negate blog, a huge channel filled up with in-depth vidoes as a guide line : what do you want more ? You really need more ? Serious ?

@chudak said in pfSense 2.4.5 Now Available:

I was trying to be very carefu

As said : RTFM.

@chudak said in pfSense 2.4.5 Now Available:

did not see that system has a new
and there problems started !

Like that red traffic light in front of you on an intersection ? You'll be asking for barriers on the road also now ?

More code, more text and more screen will make system less error prone. In theory, yes. But as long as systems deal with humans, there will always be issues.