Should I Upgrade NOW to 2.4.5 or better wait a few weeks.

Cool_Corona

IMHO.... wait.

I havent been able to get a stable VM going yet desite all sorts of tweeks and no packages asf.

Everytime i boot 2.4.4p3 it works out of the box. Installing 2.4.5 fails everytime and it says no boot loader when rebooting after install.

I can only get 2.4.5 online if I upgrade and after a few minutes the server goes berserk in CPU and the box is rendered useless.

bmeeks

Whether you choose to upgrade at this particular point is up to you. But there are some definite rules for what not to do.

1. DO NOT upgrade any packages until AFTER you have upgraded pfSense itself. In most cases pfSense will update your packages as part of the OS upgrade (it will reinstall them in the background). If you violate this rule and upgrade a package while still running pfSense-2.4.4_p3, then expect a broken system to result and your package will be dead.

2. It is safest to remove all packages, upgrade pfSense and then reinstall your packages one-by-one. The packages will all save their current configurations, so you won't lose anything but some of your time doing the uninstall and reinstall steps.

3. Most of us with simple installations follow step #1 above (upgrade pfSense and let it upgrade the packages).

Now the caveats. There is at least anecdotal evidence that FreeBSD 11.3/STABLE (and thus pfSense-2.4.5) has issues with virtualized hardware. A number of users are posting about that including @Cool_Corona in this thread. So if you run pfSense on a VM you might want to hold off on the upgrade a bit.

Even on non-virtualized installs some users are reporting problems with CPU utilization and network stalls/lags when the firewall's pfctl process is really busy. One package that highlights this issue and seems to exacerbate the problem is pfBlockerNG when it is loading/updating large alias lists. Since you are running pfBlockerNG, that might be another reason to hold off.

nzkiwi68

I recommend you wait.

I've upgraded 3 clusters;

• 2 of the clusters are now very broken and require the backup HA pfSense to be powered off.
• 1 cluster was difficult to upgrade but now seems to be running ok.

I'm holding off upgrading any more systems until the issues with pfctl, high CPU, packet loss and gateway instability are understood and solved.

I'll try and fix the 2 broken HA clusters once 2.4.5-p1 or a published fix is issued and if that works, then I'll tentatively resume my upgrade rollout with a small scale test upgrade rollout.

Gertjan

@tohil said in Should I Upgrade NOW to 2.4.5 or better wait a few weeks.:

Update Packages prior update

Your missing an important one : read the forum, and the release notes.

Before you upgrade packages, visit System > Upgrade and make sure that the Branch is Previous stable version 2.4.4.

Btw : running a pfSense with a 1 core on VM Hyper-V, upgraded from 2.4.4-p3, pfBlockerNG-devel and didn't see any issues what so ever.
pfBlockerNG-devel : I didn't try to use all the feeds it proposes, just a selection like 0 or so.
CPU is arround 2 %, RAM 40 % out of 1 GBytes.

Cool_Corona

@Gertjan said in Should I Upgrade NOW to 2.4.5 or better wait a few weeks.:

@tohil said in Should I Upgrade NOW to 2.4.5 or better wait a few weeks.:

Update Packages prior update

Your missing an important one : read the forum, and the release notes.

Before you upgrade packages, visit System > Upgrade and make sure that the Branch is Previous stable version 2.4.4.

Btw : running a pfSense with a 1 core on VM Hyper-V, upgraded from 2.4.4-p3, pfBlockerNG-devel and didn't see any issues what so ever.
pfBlockerNG-devel : I didn't try to use all the feeds it proposes, just a selection like 0 or so.
CPU is arround 2 %, RAM 40 % out of 1 GBytes.

Yeah. 1 Core seems to avoid the pfctl problems. Try to upgrade the number of cores and see if it changes anything.

One workaround could be to downgrade the cores and upgrade and then upgrade the cores once again (32 cores in my current setup).....

tohil

Thanks for your answers.
I run my pfsense installations mostly on PCengines APU and APU2 Boards.

tohil

Is there already a 2.4.5-p1 in the pipeline, which solve all the issues found since releasing 2.4.5?

DaddyGo

@tohil

If it helps, to make your decision, I can tell you that we have updated 14 pcs. APU4d4 board based pfSense NGFWs in our system without any problems.
Important note: do not use this FW v4.11.0.5, the highest usable version is v4.11.0.4.!!!
The following major larger applications run on endpoint APU + pfSense units:
Suricata, pfBlockerNG, Squid, OpenVPN server and client
This configuration does not appear to be strongly affected by the problem described above.
It takes a significant amount of time after the upgrade for the system to up again. (cca. 10 -15 min, under no circumstances restart manually or intervene)
There are packet loss and high gateway response times in the beginning, but these disappear.
I don't know,if this helps :-)?

Krisz

chrisgtl

Do yourself a favour and wait. I'm waiting for my new mSATA to arrive and then setting up from scratch on 2.4.4

Once I see a more postive feedback on 2.4.5 I will upgrade again after taking backups of the fresh 2.4.4

e-1-1

Updated a test HA cluster running on 9 year old Astaro hardware with no issues, no packages uninstalled first - lots of them.
Just keep in mind:

• config backups
• have current (not your target) version ISO / CD / bootable USB stick ready
• that initial reboot before hitting upgrade

DaddyGo

I agree with you!!!, this is an APU board (perfect for SOHO use with pfsense) and the upgrade is hassle-free.
Considering the FW version of the board!

nzkiwi68

@DaddyGo said in Should I Upgrade NOW to 2.4.5 or better wait a few weeks.:

@tohil
.... It takes a significant amount of time after the upgrade for the system to up again. (cca. 10 -15 min, under no circumstances restart manually or intervene)
There are packet loss and high gateway response times in the beginning, but these disappear. ....

This 10-15 minutes of packet loss and high gateway latency you describe (like many others) is a serious problem. In my cases, this huge disruption minutes also occurs after any following reboot and causes major disruption for 250+ staff.

DaddyGo

All major updates / upgrades require attention and spend time.
Nor can the developers of pfSense promise that everything will go perfectly on every platform.
I can tell you that there are no major issues with PcEngines APU platform with 2.4.5.
The same is true for Dell R210II (16GB RAM 8 core CPU + 2x120GB Kingston SSD in ZFS RAID).
Everyone should be careful before upgrading, we handle more than 800 customers and have upgraded only 20-25% of the system.

The high gateway values that appear to be described as aggressive are only experienced after this first start-up and then disappear.
This scares many colleagues right away, but it is not always a maintained condition, if there is a possibility for a test environment, it can also be a solution first.

DaddyGo

I would also note that, because of COVID, it is really not a good idea to upgrade remote systems now, as there is social distance and limited mobility!!!

tohil

Hi

What are your field experiences upgrading to 2.4.5 on APU2 Boards in the past weeks?

regards

DaddyGo

@tohil

Hi,
We upgraded all our devices (pcEngines) and had no serious problems.
In two cases, it was necessary to reinstall pfBlockerNG-devel, but this problem was probably not due to the base package.

brgds,
K

nzkiwi68

I recommend NOT upgrading anything to v2.4.5 due some serious issues but instead waiting for v2.4.5-p1.

The good news is the development team have been hard at work and v2.4.5-p1 has had a lot of progress and is nearly completed.

As of writing this, there is only 10 outstanding issues to be solved. v2.4.5-p1 is not going to be too far way, so, unless you absolutely must upgrade, I would wait. If I were pushed to guess, probably sometime in late June or early July, but do note;

• I'm not pfSense a developer - these are my own observations
• More issues could be added to v2.4.5-p1 and delay the release
• Testing could also reveal issues and require more work
• There is not an actual release date

Cool_Corona

@nzkiwi68 Limping along on 1 core only since it keeps the FW stable.

Cannot push more than 200Mbit with Suricata, so we are definately limited...

Gertjan

@Cool_Corona said in Should I Upgrade NOW to 2.4.5 or better wait a few weeks.:

Cannot push more than 200Mbit with Suricata, so we are definately limited...

Just an observation : if you need Suricata after the apprentice phase **, what about isolating the hopeless cases into a departed network where they can explode themself's and others. This way, ditch Suricata, and both trusted on untrusted can do what they do best at the fastest speed available ?!

You, as an admin, explaining to your clients that loading and executing trojans is no good - neither illegal video content, etc etc

DaddyGo

@nzkiwi68

Just a completely private opinion:

if everyone likes to sit as safe as you do, how do you think the Netgate guys can get feedback for improvements or next step.....

All I can say is that the APU boards are not sensitive to the update in the above setting (which I have already described)