pfSense 2.4.5 Now Available

t41k2m3

@johnpoz said in pfSense 2.4.5 Now Available:

I only use pfblocker for the geoip aliases - I don't have it doing any rules or anything. It just maintains the aliases that I then use in my own rules. And only then for allowing specific access to my forwards. My settings would not be in line with how most people use it..

I use it to limit access to my plex to the countries that my users are in, and allow access to my vpn to only US, that sort of thing.

That type of use may explain what's happening in some cases where spikes seem to happen due to unbound and (presumably) a large DNSBL entries file. Which you wouldn't have, so it does not impact unbound. Anyway, fortunately, not as affected as others have been and could downgrade pretty easily if it came to that. Right now though, still trying to figure out if there may be any fix short of downgrading available or coming. The point was made and would seem sensible, that pkg should not be switched to pull data from a new version prior to an actual update (happened to me too which sort of forced the matter of the upgrade).

Gertjan

@chudak said in pfSense 2.4.5 Now Available:

I think Package Manager should even allow update packages meant for new version. Then we would not have any of these issues!

Very true.
But ... pfSense is just pfSense. Packages are nice addons but mostly written and maintained by guys like you and me.
I me and you will not (like never) want to deal with version management. That means you have to support the guys that use the older versions of pfSense, with the bug and issues from back then and the new issues that just came up. That will mean : problem solved because no more packages.
It might work out for a $$$$ environment.
Also : pfSense has to support the "where to get my updates" - you do remember that Netgate is doing this all for close to free so they decide what is needed - what should be done.

chudak

@Gertjan

In my case I was trying to be very careful, but did not see that system has a new version available and simply updated some packages - and there problems started !

I think this can be avoided not by forcing package developers to change anything, but simply by displaying some warning messages in the pfsense UI

Look at how many people having troubles ?!

Hope you agree.

Thx

Gertjan

@chudak said in pfSense 2.4.5 Now Available:

Look at how many people having troubles ?!

No way.
Count the people that still have problems copying an iPhone to a new iPhone. That will always last. Although it's a finger in the nose trick these days.

The pfSense upgrade procedure has been guided, documented and explained - with every major version update, for several years now.
Issues are not possible, because pfSense is a close-to-industrial firewall. They do not oblige you to write out that big cheque like Cisco to have it dealt with, or send one of the employees to a new training to handle the update. pfSense makes it easy : they only ask one thing : being able to read. There is no place to mess up : no one will install a new version on a system will taking down the companies or their private Internet access. For a couple of $$ you have a backup system (an old PC will do) - so the upgrade is two phase. Permits you to fast compare, check. There is a free support forum and redit and the manual and the main Negate blog, a huge channel filled up with in-depth vidoes as a guide line : what do you want more ? You really need more ? Serious ?

@chudak said in pfSense 2.4.5 Now Available:

I was trying to be very carefu

As said : RTFM.

@chudak said in pfSense 2.4.5 Now Available:

did not see that system has a new
and there problems started !

Like that red traffic light in front of you on an intersection ? You'll be asking for barriers on the road also now ?

More code, more text and more screen will make system less error prone. In theory, yes. But as long as systems deal with humans, there will always be issues.

Gil

@dennis_s
Like the "copy" functionality within the OpenVPN Client Specific Overrides.

• I note that these can be slow to apply though.
  I rebooted the router and the first lot of OpenVPN connections were not allocated the IP addresses as specified in the CSO.
  Disconnecting each client through the server gui, and letting each client auto reconnect fixed the issue.
  ie - they were then assigned the VPN IP addresses as per the CSO rules.

provels

@chudak said in pfSense 2.4.5 Now Available:

@Gertjan

In my case I was trying to be very careful, but did not see that system has a new version available and simply updated some packages - and there problems started !

I think this can be avoided not by forcing package developers to change anything, but simply by displaying some warning messages in the pfsense UI

Look at how many people having troubles ?!

Hope you agree.

Thx

Perhaps a splash screen such as used by the license agreement and survey would be suitable. I know, Monday Morning QB. :/

Jeffx123

Update took quite a bit of time on my SG-1100 and I had to reboot my cable modem afterwards. The web interface leads one to believe that the system should reboot in 80 seconds or so. This is not even close. The upgrade took >10 minutes. I ended up using the usb console to see that the system wasn't frozen. I suppose this is a live & learn situation but it would be really nice if the web interface had a link to the readme and a reasonable time estimate based on the hardware. The quick flashing green light (black diamond) isn't all that useful after a while.

tman222

Thought I'd toss out a couple more data points for upgrade times -- the Supermicro Xeon D based box took about 3 minutes to fully upgrade (i.e. time needed to come back to the login screen). The custom built i3-8100 was about the same - I started the upgrade, walked away for a couple minutes and it was already finished by the time I returned.

chudak

@Gertjan said in pfSense 2.4.5 Now Available:

@chudak said in pfSense 2.4.5 Now Available:

Look at how many people having troubles ?!

No way.
Count the people that still have problems copying an iPhone to a new iPhone. That will always last. Although it's a finger in the nose trick these days.

The pfSense upgrade procedure has been guided, documented and explained - with every major version update, for several years now.
Issues are not possible, because pfSense is a close-to-industrial firewall. They do not oblige you to write out that big cheque like Cisco to have it dealt with, or send one of the employees to a new training to handle the update. pfSense makes it easy : they only ask one thing : being able to read. There is no place to mess up : no one will install a new version on a system will taking down the companies or their private Internet access. For a couple of $$ you have a backup system (an old PC will do) - so the upgrade is two phase. Permits you to fast compare, check. There is a free support forum and redit and the manual and the main Negate blog, a huge channel filled up with in-depth vidoes as a guide line : what do you want more ? You really need more ? Serious ?

@chudak said in pfSense 2.4.5 Now Available:

I was trying to be very carefu

As said : RTFM.

@chudak said in pfSense 2.4.5 Now Available:

did not see that system has a new
and there problems started !

Like that red traffic light in front of you on an intersection ? You'll be asking for barriers on the road also now ?

More code, more text and more screen will make system less error prone. In theory, yes. But as long as systems deal with humans, there will always be issues.

Open-source software is awesome and I don't submit to the notion that because it's free it has to be of lower quality then commercial software.

Yes RTFM is great concept !

But , are you arguing against throwing a big red banner on top of the UI right after major upgrade to warn users about proper steps and point to release notes, so we have less mistakes ? (similar like we see sometimes for user surveys)

Of cause, there are will be other human errors, but this one will be prevented.

Stay well and healthy and thank you for you support!

Bob.Dig

I did a fresh install of pfSense 2.4.5. But after installing and setting up of pfBlockerNG, massive problems occurred described here.

Cool_Corona

@Bob-Dig said in pfSense 2.4.5 Now Available:

I did a fresh install of pfSense 2.4.5. But after installing and setting up of pfBlockerNG, massive problems occurred described here.

Same but worse here. No boot loader available on a fresh install.

Upgraded from 2.4.4p3 and it worked like a charm until package install.

Running on a 32core XEON setup.

ramup

@dennis_s
Will there be a 2.4.5-p1 relase that fixes the current problems with update of 2.4.4-p3 to 2.4.5?
Unfortunately I do not see anything on redmine.

dennis_s

@ramup Our engineers are aware of a few customers that have had problems and are in the process of trying to replicate those issues so that a fix can be applied. As of now, there isn't an ETA on a p1 release.

v4rp1ng

I had some issues with 2.4.4-p3 (random packet drops) now with 2.4.5 luckily all fine again - thanks to all who contributed.

Oliver12

I tried upgrade with my pfsense server at home from 2.4.4_p3, but in this case I did a snapshot on vmware, and the problem is same. The ping time is very high and the navigation have a lot of problems.

I restored the snapshot, and all return to normally

plfinch

Might as well capture my results here upgrading pfSense from 2.4.4p3 to 2.4.5...

SG-5100 - Primary Firewall - No issues with upgrade.

SG-2440 - Backup Firewall - On first boot after upgrade, no LAN or serial console access. Subsequent reboots no change. Ended up doing a memstick image install and then restoring configs from Primary. All good now.

Both systems use same trivial configuration and the packages are the same (apcupsd, arpwatch, sudo) except SG-2440 also has coreboot.

Peter