Should I Upgrade NOW to 2.4.5 or better wait a few weeks.
-
@Gertjan said in Should I Upgrade NOW to 2.4.5 or better wait a few weeks.:
@tohil said in Should I Upgrade NOW to 2.4.5 or better wait a few weeks.:
Update Packages prior update
Your missing an important one : read the forum, and the release notes.
Before you upgrade packages, visit System > Upgrade and make sure that the Branch is Previous stable version 2.4.4.
Btw : running a pfSense with a 1 core on VM Hyper-V, upgraded from 2.4.4-p3, pfBlockerNG-devel and didn't see any issues what so ever.
pfBlockerNG-devel : I didn't try to use all the feeds it proposes, just a selection like 0 or so.
CPU is arround 2 %, RAM 40 % out of 1 GBytes.Yeah. 1 Core seems to avoid the pfctl problems. Try to upgrade the number of cores and see if it changes anything.
One workaround could be to downgrade the cores and upgrade and then upgrade the cores once again (32 cores in my current setup).....
-
Thanks for your answers.
I run my pfsense installations mostly on PCengines APU and APU2 Boards. -
Is there already a 2.4.5-p1 in the pipeline, which solve all the issues found since releasing 2.4.5?
-
If it helps, to make your decision, I can tell you that we have updated 14 pcs. APU4d4 board based pfSense NGFWs in our system without any problems.
Important note: do not use this FW v4.11.0.5, the highest usable version is v4.11.0.4.!!!
The following major larger applications run on endpoint APU + pfSense units:
Suricata, pfBlockerNG, Squid, OpenVPN server and client
This configuration does not appear to be strongly affected by the problem described above.
It takes a significant amount of time after the upgrade for the system to up again. (cca. 10 -15 min, under no circumstances restart manually or intervene)
There are packet loss and high gateway response times in the beginning, but these disappear.
I don't know,if this helps :-)?Krisz
-
Do yourself a favour and wait. I'm waiting for my new mSATA to arrive and then setting up from scratch on 2.4.4
Once I see a more postive feedback on 2.4.5 I will upgrade again after taking backups of the fresh 2.4.4
-
Updated a test HA cluster running on 9 year old Astaro hardware with no issues, no packages uninstalled first - lots of them.
Just keep in mind:- config backups
- have current (not your target) version ISO / CD / bootable USB stick ready
- that initial reboot before hitting upgrade
-
I agree with you!!!, this is an APU board (perfect for SOHO use with pfsense) and the upgrade is hassle-free.
Considering the FW version of the board! -
@DaddyGo said in Should I Upgrade NOW to 2.4.5 or better wait a few weeks.:
@tohil
.... It takes a significant amount of time after the upgrade for the system to up again. (cca. 10 -15 min, under no circumstances restart manually or intervene)
There are packet loss and high gateway response times in the beginning, but these disappear. ....This 10-15 minutes of packet loss and high gateway latency you describe (like many others) is a serious problem. In my cases, this huge disruption minutes also occurs after any following reboot and causes major disruption for 250+ staff.
-
All major updates / upgrades require attention and spend time.
Nor can the developers of pfSense promise that everything will go perfectly on every platform.
I can tell you that there are no major issues with PcEngines APU platform with 2.4.5.
The same is true for Dell R210II (16GB RAM 8 core CPU + 2x120GB Kingston SSD in ZFS RAID).
Everyone should be careful before upgrading, we handle more than 800 customers and have upgraded only 20-25% of the system.The high gateway values that appear to be described as aggressive are only experienced after this first start-up and then disappear.
This scares many colleagues right away, but it is not always a maintained condition, if there is a possibility for a test environment, it can also be a solution first. -
I would also note that, because of COVID, it is really not a good idea to upgrade remote systems now, as there is social distance and limited mobility!!!
-
Hi
What are your field experiences upgrading to 2.4.5 on APU2 Boards in the past weeks?
regards
-
Hi,
We upgraded all our devices (pcEngines) and had no serious problems.
In two cases, it was necessary to reinstall pfBlockerNG-devel, but this problem was probably not due to the base package.brgds,
K -
I recommend NOT upgrading anything to v2.4.5 due some serious issues but instead waiting for v2.4.5-p1.
The good news is the development team have been hard at work and v2.4.5-p1 has had a lot of progress and is nearly completed.
As of writing this, there is only 10 outstanding issues to be solved. v2.4.5-p1 is not going to be too far way, so, unless you absolutely must upgrade, I would wait. If I were pushed to guess, probably sometime in late June or early July, but do note;
- I'm not pfSense a developer - these are my own observations
- More issues could be added to v2.4.5-p1 and delay the release
- Testing could also reveal issues and require more work
- There is not an actual release date
-
@nzkiwi68 Limping along on 1 core only since it keeps the FW stable.
Cannot push more than 200Mbit with Suricata, so we are definately limited...
-
@Cool_Corona said in Should I Upgrade NOW to 2.4.5 or better wait a few weeks.:
Cannot push more than 200Mbit with Suricata, so we are definately limited...
Just an observation : if you need Suricata after the apprentice phase **, what about isolating the hopeless cases into a departed network where they can explode themself's and others. This way, ditch Suricata, and both trusted on untrusted can do what they do best at the fastest speed available ?!
You, as an admin, explaining to your clients that loading and executing trojans is no good - neither illegal video content, etc etc
-
Just a completely private opinion:
if everyone likes to sit as safe as you do, how do you think the Netgate guys can get feedback for improvements or next step.....
All I can say is that the APU boards are not sensitive to the update in the above setting (which I have already described)
-
I haven't pulled the trigger on this yet either.
I have an SG-1100 that I consider mission-critical (I'm a home user but work at home 100% of the time. Work PC is on the OPT port.) I cannot afford to have downtime while troubleshooting an update.
I am using the SG-1100 right out of the box with the exception of a few firewall rules. Zero packages installed.
Should I update now? I am not opposed to buying a 2nd SG-1100 so that I always have a working fallback.
What say you, group? And thanks.
-
@NGUSER6947 I'm running 2.4.5 at home, on an SG-4860, and I am having absolutely no troubles. I know, you've got different hardware, but I just wanted to make a point.
I have only 1 extra package installed - NUT. I want the firewall to shut down gracefully on a power loss, since I've got it plugged into a UPS box close by.
I have been running like this for about a month now, maybe. Can't remember when I did the upgrade. The box is showing 14 days of uptime. I must have rebooted for some reason 2 weeks ago, but I can't remember why.
Hope that helps.
Also, if your SG-1100 is "mission critical" like you say, and your work depends on it, I would get an extra spare, just in case. Not trying to get you to spend extra money right now, but important is important, right?
Jeff
-
Also to chime in, I updated to 2.4.5 hours after it came out on my sg4860, zero issues.. Zero.. And I have lots of packages..
Uptime 64 Days 04 Hours 55 Minutes 33 Seconds
Even had a few minor power outages.. But all of my networking gear is on ups.. So as long as the outage is say less than 20 minutes or so - internet still works, even the wifi ;)
I have not updated any of the sg3100 at work, because nobody in the office.. And just doesn't make sense to do an update remotely - even on the slightest chance something could go wrong.. Once back in the office and can get to the devices on the worse case scenario something goes wonky... But normally I just pull the trigger on these devices... But sure don't want something going wrong and someone going into the office and the internet to be down because I couldn't wait a few weeks to do an update ;)
2.4.5p1 will prob be out before we get back into the office as well ;)
-
Updated two boxes on the same day 2.4.5 was released. The latency / high CPU usage issue related to pfctl is a it of an annoyance on one of the boxes. However, I see that a fix is already in the works for 2.4.5 P1 by following the the issues and discussion on Redmine. Other than that, everything has been very running smoothly.