pfSense Community Edition (CE) 2.5.0 and pfSense Plus 21.02 now available!

froussy · Feb 17, 2021, 9:57 PM

Just upgraded my sg-5100 to 21.02.. had to downgrade to 2.4.5.. IPSec tunnel keep dropping, even recreating them :(

captainjackla · Feb 17, 2021, 11:17 PM

Yeah, I was on 2.4.5 and just noticed that 2.5 was available. But before that I was trying to setup OpenVPN, but the Package Manager would not complete the job. Rebooted, tried again, still nothing. That's when I noticed 2.5.0 was available.

Went for the system upgrade, it went through with no errors but then got stuck on the reboot after it said it was finished. I waited a good 10 minutes, I know it should not take that long.

I am using a Mac Mini system for my test firewall. All working great until now. 2.5.0 jacked up the entire install and settings. I did a hard reboot, went directly to the shell and all of the settings were gone. It would not even let me Assign Interface, Set IP address, not even a shutdown or reboot. I had to reinstall 2.4.5 from fresh. WTF is going on with 2.5.0? I will stay away from it for now.

SteveITS · Feb 17, 2021, 11:47 PM

@captainjackla said in pfSense Community Edition (CE) 2.5.0 and pfSense Plus 21.02 now available!:

before that I was trying to setup OpenVPN, but the Package Manager would not complete the job

If you were trying to install a package today before upgrading to 2.5 you may have been trying to install the 2.5 package on 2.4.5 which could well break things, if it tries to update things for newer dependencies (https://redmine.pfsense.org/issues/10464). It can be forced to use 2.4.5 packages, by setting System/Update to use the "previous stable version."

captainjackla · Feb 18, 2021, 12:18 AM

@teamits
I just rebuilt the system, back to 2.4.5. Nothing but default settings. All Available Packages show up, but it still won't install any that I select, I tried 5 or 6. So the new 2.5 version does not come into play now.

It make me thing it's the MacMini that's causing it. We always Dell computers, Package Mananger has never been an issue in the past. That's why I am only doing this Mac as a test. Everything else on it works great.

edmund · Feb 18, 2021, 3:09 AM

I just upgraded and lost all connection to the Internet - the Internet interface started showing an RTT of 2000ms. The interface has been talking with a cable modem for years working fine at a fixed 100M rate - the upgrade had not changed anything obvious but I started seeing massive packet loss and the interface kept flickering to show "autoselect" but that's something that I have never used because it's a long cable to the other side of the building. that doesn't support 1000M but works fine at 100M.
Another odd thing was that the administration interface because terribly slow, trying to update the interface settings took a couple of minutes with the various "Save" buttons being very unresponsive. A reboot fixed the problem for a couple of minutes and then it returned, losing all internet connections.
It looks like the problem in the interface settings, even if you select a setting the new version goes and plays with them - the new interface driver has issues.
I am not going to update any of the other firewalls - right now I've got the problem "fixed" by moving the SG-4860 across the building to sit next to the cable interface.

Funky D · Feb 18, 2021, 1:32 AM

@captainjackla said in pfSense Community Edition (CE) 2.5.0 and pfSense Plus 21.02 now available!:

All Available Packages show up, but it still won't install any that I select, I tried 5 or 6.

Are you allowing IPv6? I had to go to System / Advanced / Networking and uncheck the "Allow IPv6" box for the package manager to work. There are other reports of this issue on 2.4.5... seems to work ok after the 2.5 upgrade with IPv6 allowed.

Also, similar to another post on this forum, DNS was flakey after the upgrade and I had to re-run the network setup wizard to get things up and running. Not sure if a reboot would have fixed that issue as well, but the setup wizard retains all settings.

captainjackla · Feb 18, 2021, 1:32 AM

@funky-d
I never use IP6 so its always unchecked. I have 3 or 4 other sites with 2.4.5 that use OpenVPN and package manager was not an issue.

I will not upgrade any firewall until 2.5.1 comes out and tested. So it seems that I have 2 different issues.

johnpoz · Feb 18, 2021, 1:42 AM

Ok I couldn't wait.. So I booted usb with 21.02 on it - but could not get switched over to ZFS.. It wouldn't boot... Might help if I did a bit of research before just clicking go ;)

So anyhoo - I just did UFS from the usb, it loaded my config that I had put on the usb.. And I am up and running.. Looks like everything is working.. HAproxy is working, freerad is working. My vpn connection to my vps came up. My HE tunnel came up.. There was one package it couldn't install because its not in the 2.5

I will have to read over the docs on migration from UFS to ZFS..

It took a bit to reinstall my packages - but didn't have to reconfigure anything..

flepti · Feb 18, 2021, 1:42 AM

WAN interface for CE 2.5.0 with static IP configuration using a non-local IP gateway is just showing as offline (upgraded from 2.4.5), re-created another VM (2.4.5) no extra packages installed and upgraded to 2.5.0 using the GUI, same issue, it's somehow unable to contact the gateway.

JeffV · Feb 18, 2021, 3:09 AM

@edmund
I have the same situation on my SG-2440. I've tried all kind of things and can't keep my WAN up for more than 5 minutes at a time. I have Verizon FiOS w/ DHCP. Interestingly, I'm able to use another consumer router to interface with FiOS and it's LAN port going into my SG-2440's WAN port results in a stable connection. Not ideal but at least a temporary workaround.

peter-fyri · Feb 18, 2021, 5:29 AM

I also upgraded 2 of my boxes, all good.
But, as always, I will reinstall 2.5.0 from scratch anyway, I like to refresh them from time to time.

captainjackla · Feb 18, 2021, 6:14 AM

@peter-fyri said in pfSense Community Edition (CE) 2.5.0 and pfSense Plus 21.02 now available!:

I also upgraded 2 of my boxes, all good.
But, as always, I will reinstall 2.5.0 from scratch anyway, I like to refresh them from time to time.

Great idea. I am going to try that tomorrow with my test box. See if 2.5 will work and if I can get Package Manager to work, I need VPN installed.

peter-fyri · Feb 18, 2021, 6:18 AM

@captainjackla
When I upgraded, on one of the boxes, I had 2 OpenVPN servers set up, which fortunately continued working after the upgrade.

bldnightowl · Feb 18, 2021, 7:10 AM

I have a cron job which runs every minute to update the SG3100 LEDs based on the gateway status. It no longer seems to do anything in 21.02. No errors when run explicitly on the console -- but the LEDs remain unchanged (circle dark, square dark, diamond flashing blue).

#!/bin/tcsh
#
# This script updates the SG-3100 device's first LED with gateway status
#
#   php /usr/local/sbin/pfSsh.php playback gatewaystatus
#
set gw = `/usr/local/bin/php /usr/local/sbin/pfSsh.php playback gatewaystatus | grep WAN `
set gwping = `echo $gw | awk '{ ORS="  "; print $6 }' `
set gwstatus = `echo $gw | awk '{ ORS="  "; print $7 }' `

# based on gwstatus, set color of first LED
# led a  -  led b  -  led c
# 6 7 8  -  3 4 5  -  0 1 2

switch ($gwstatus)
case "none":
case "Online":
    /usr/sbin/gpioctl 6 duty 0
    /usr/sbin/gpioctl 7 duty 1
    /usr/sbin/gpioctl 8 duty 0
    breaksw
case "down":
case "Offline":
    /usr/sbin/gpioctl 6 duty 10
    /usr/sbin/gpioctl 7 duty 0
    /usr/sbin/gpioctl 8 duty 0
    breaksw
case "highloss":
case "loss":
case "highdelay":
case "delay":
case "Warning":
    /usr/sbin/gpioctl 6 duty 10
    /usr/sbin/gpioctl 7 duty 1
    /usr/sbin/gpioctl 8 duty 0
    breaksw
default:
    /usr/sbin/gpioctl 6 duty 0
    /usr/sbin/gpioctl 7 duty 0
    /usr/sbin/gpioctl 8 duty 128
endsw

bldnightowl · Feb 18, 2021, 8:25 AM

Figured it out -- apparently my LEDs are now /dev/gpioc2 after the upgrade -- when before they were the default /dev.gpioc0. Whatever.

Waqar.UK · Feb 18, 2021, 3:24 PM

I upgraded a few mintues ago, after the message counting down "rebooting" in 90 seconds, it kept on re-setting 20 seconds. This happened at least twice. Then I clicked on the "pfsense" icon on the top left hand side, logged on again and I saw version 2.50. so really pretty good upgrade.
Memory usage is up, but having 8 GB RAM, so this is not a problem. Internet seems more sprightly and speed-test is slightly better. Overall smooth.

edmund · Feb 18, 2021, 1:39 PM

@funky-d - good point, the 21.02 release appears to have made many internal changes that can cause problems. Anyone updating may have to spend a lot of time reconfiguring everything to get it working again. They seem to deleted the IPV4 support in this "downgrade"

aponomarenko · Feb 18, 2021, 3:22 PM

Make hardware probes to get counted in statistics like this was done by OPNsense users.

SteveITS · Feb 18, 2021, 3:24 PM

@waqar-uk said in pfSense Community Edition (CE) 2.5.0 and pfSense Plus 21.02 now available!:

after the message counting down "rebooting" in 90 seconds, it kept on re-setting 20 seconds

I haven't installed 2.5 yet but based on upgrades on prior versions like 2.4.x the timing is heavily dependent on hardware, for example disk write speed. On base level 2100s and 3100s we generally allow 10 minutes before even thinking about starting to worry. I suspect the timer is something to look at so the person doesn't get a "can't connect" browser error, panic, and pull power during the upgrade.

tman222 · Feb 18, 2021, 5:42 PM

Upgraded to 2.5.0 from 2.4.5p1 yesterday and everything went smooth. Upgrade took about 5 minutes and system came right back up. All packages and services working as expected. I've been using pfSense since the 2.3.x branch on a Supermicro 5018D-FN8T 1U server and all upgrades since then have gone smoothly.

With this latest release I get the impression that network throughput has improved a little bit, although that is based mostly on anecdotal evidence right now by running a few internal internal (routing between two 10Gbit LAN subnets) and external (e.g. speedtest.net) speed tests since the upgrade.

The only issue I have run into are ping spikes that appear to get worse if I increase the velocity of ping packets.

https://forum.netgate.com/topic/160974/upgraded-to-2-5-0-now-seeing-ping-spikes

I have reviewed and changed my hardware tuning parameters a little bit and this appears to have helped somewhat by making the spikes last frequent at lower velocities. The issue still persists, however, but thankfully I have no evidence right now that this is a general problem affecting all traffic (e.g. including TCP, UDP, etc.). Could ICMP packets be getting de-prioritized somehow?

On a related note, I also want to call out that there have been some fairly significant changes to how FreeBSD 12 handles NIC driver interfacing with the OS kernel compared to older versions. For instance, FreeBSD now uses a framework called iflib:

https://www.freebsd.org/cgi/man.cgi?query=iflib&sektion=4&apropos=0&manpath=FreeBSD+12.2-RELEASE+and+Ports

The em driver has also been updated, please see the following:

https://www.freebsd.org/cgi/man.cgi?query=em&apropos=0&sektion=4&manpath=FreeBSD+12.2-RELEASE+and+Ports&arch=default&format=html

https://forums.freebsd.org/threads/freebsd-12-sysctl-system-parameters.78806/

If you're like me and have a lot of hardware tunables set, it is worth reviewing them after the upgrade as some of them 1. may no longer be supported, or 2. may now have be set through iflib. For example, this will be the case if you have a system that uses Intel NIC's and the igb driver.