To 2.5.0 or not ? that is the question :)

dma_pf

Upgraded to 2.5.0 about 10 hours ago from the GUI. The update went smoothly and took a total of less than 15 minutes. I was able to login to the GUI after the upgrade was completed. Everything has been running well and has been stable. I had 2 issues that came up post upgrade.

Issue 1: I had 3 openvpn connections that were down. Before the upgrade I had read some posts where others had had the same issue. The fix was to uncheck the "Data Encryption Negotiation" setting in the openvpn client setups. As soon as the setting was unchecked and saved the connections were immediately reinstated.

Issue 2: Once pfBlockerNG-devel was reinstalled the DNSBL was out of sync. It was easily resolved with a Forced/Reload in the Update tab in pfBlockerNG.

My setup includes the following: 1 WAN, 2 regular interfaces, 4 vlans, multiple DHCP Servers, DNS Resolver, Dynamic DNS, 3 openvpn clients, 2 openvpn servers.

yon 0

@artes said in To 2.5.0 or not ? that is the question :):

/usr/local/etc/rc.d/frr restart all
Checking intergrated config...
Checking vtysh.conf
line 37: % Unknown command[4]:  address-family ipv4 unicast
line 38: % Unknown command[4]:   network <ip>.64.0/20
line 39: % Unknown command[4]:   neighbor <ip>.16.1 activate
line 40: % Unknown command[4]:   neighbor <ip>.16.17 activate
line 41: % Unknown command[4]:   neighbor <ip>.16.29 activate
line 42: % Unknown command[4]:   neighbor <ip>.16.1 send-community both
line 43: % Unknown command[4]:   neighbor <ip>.16.1 next-hop-self
line 44: % Unknown command[4]:   neighbor <ip>.16.1 soft-reconfiguration inbound
line 45: % Unknown command[4]:   neighbor <ip>.16.1 route-map Site_Kref_Primary_RMAP in
line 46: % Unknown command[4]:   neighbor <ip>.16.1 addpath-tx-bestpath-per-AS
line 47: % Unknown command[4]:   neighbor <ip>.16.17 send-community both
line 48: % Unknown command[4]:   neighbor <ip>.16.17 next-hop-self
line 49: % Unknown command[4]:   neighbor <ip>.16.17 route-map HDC-LOCAL-PREF80 in
line 50: % Unknown command[4]:   neighbor <ip>.16.29 send-community both
line 51: % Unknown command[4]:   neighbor <ip>.16.29 next-hop-self
line 52: % Unknown command[4]:   neighbor <ip>.16.29 route-map HDC-LOCAL-PREF90 in
line 53: % Unknown command[4]:  exit-address-family
FAILED

If somebody is using FRR for BGP be carefull - Zebra and BGPd won't come up and your network is fried if you rely on it. Thanks to virtualization and snapshot it's possible to minimize damage.

yes, i am using frr and network down.

chudak

@jwj said in To 2.5.0 or not ? that is the question :):

https://nyifiles.netgate.com/mirror/downloads

Do you have another pointer ?
This one points to 2.5.0

A Former User

@chudak No. The older ones have been removed from the mirrors.

yon 0

i have some old version, maybe i have to change to old version for test.

stephenw10

Open a ticket and we can get you a link to 2.4.5p1 if you need it for now: https://go.netgate.com/

Steve

bingo600

@jwj said in To 2.5.0 or not ? that is the question :):

@chudak No. The older ones have been removed from the mirrors.

I learned the hard way ....
Always download & save a copy of the install packages used, along with the SHA256-SUM.
That goes for "even if you do just upgrade" , always get an install image of the version you have upgraded to.

I upgraded from 2.4.4-p3 to 2.4.5-p1 , and luckily remembered to get a copy of the 2.4.5-p1 install image , even though i never installed from that image.

Is handy to have right now , if i need to fallbck.

/Bingo

chudak

@bingo600 said in To 2.5.0 or not ? that is the question :):

@jwj said in To 2.5.0 or not ? that is the question :):

@chudak No. The older ones have been removed from the mirrors.

I learned the hard way ....
Always download & save a copy of the install packages used, along with the SHA256-SUM.
That goes for "even if you do just upgrade" , always get an install image of the version you have upgraded to.

I upgraded from 2.4.4-p3 to 2.4.5-p1 , and luckily remembered to get a copy of the 2.4.5-p1 install image , even though i never installed from that image.

Is handy to have right now , if i need to fallbck.

/Bingo

This is a good practice.
More interesting is why Netgate won't allow access to older versions ?!

stephenw10

Open a ticket and we can get it to you if you need it.

chudak

This post is deleted!

buggz

Downloaded old and new ISO image files.
Backed up configuration to .xml file.

Performed online update from 2.4.5-p1 to 2.5
Rebooted, everything seems to work, EXCEPT...

Traffic Graphs for LAN - no data is shown, but traffic is working.
Interface/LAN (igb0) tab, save operation reports:
"The Router Advertisements Server is active on this interface and it can be used only with a static IPv6 configuration.
Please disable the Router Advertisements Server service on this interface first, then change the interface configuration."

I don't have IPV6 enabled on WAN, nor LAN, never had.

IS there any where else this is configured?

viktor_g

@buggz said in To 2.5.0 or not ? that is the question :):

Downloaded old and new ISO image files.
Backed up configuration to .xml file.

Performed online update from 2.4.5-p1 to 2.5
Rebooted, everything seems to work, EXCEPT...

Traffic Graphs for LAN - no data is shown, but traffic is working.
Interface/LAN (igb0) tab, save operation reports:
"The Router Advertisements Server is active on this interface and it can be used only with a static IPv6 configuration.
Please disable the Router Advertisements Server service on this interface first, then change the interface configuration."

I don't have IPV6 enabled on WAN, nor LAN, never had.

IS there any where else this is configured?

It was configured before
You can temporary set the LAN IPv6 address to static mode and disable the Router Advertisements Server on the Services / DHCPv6 & RA page, then switch the LAN IP back.
see https://redmine.pfsense.org/issues/11367

buggz

@viktor_g
Perfect!
Thank you!

buggz

Hmm, well, cleared the error, but still no traffic for LAN shown on the Traffic Graph...

chudak

My 2c...

Well, usually I click on the upgrade button before reading any messages. Not this time, I was trying to be very careful and finally got brave today and did upgrade to 2.5.0

In general after ~10 minutes the system rebooted and I was able to login.

Here is the list of my packages:

No names were resolving at first.
I did enable "DHCP Registration" saved and disabled it and saved again, and everything seem to be working fine (will see how sustainable this is after awhile).

I did see a couple of times after reboots that DNS Resolver was not resolving names even tho the service was up and running, after restating it all went back to normal. No really sure if this is a problem.
I use "Enable Forwarding Mode" with "Use SSL/TLS for outgoing DNS Queries to Forwarding Servers" encryption.

One of my worries was OpenVNP server as I have some clients that will be uneasy to update. But OpenVNP seems normal.

Hope this help some people.

PS: I see a new service "pcscd PC/SC Smart Card Daemon" - what is it ?

KB8DOA

After having installed RC21 on several appliances, then seeing traffic halt -

I then freaked out and removed anything having to do with IPv6 out of all of them, to get them working again.

I was quite saddened to have to do this, but there were no known workarounds.

I am not sure if I will ever go through all the work again, and set up IPv6 again in the future.

I would really like to know how PFsense+ made it to RC status, and nobody even tested IPv6.

I am now also questioning continued use of pfSense+, because of this - as it caused a big disruption and major inconvenience....

skogs

@kb8doa Roughly 40% of my traffic is IPv6 and seems just fine and I did do tons of testing over the last 6 months.

stephenw10

@kb8doa said in To 2.5.0 or not ? that is the question :):

I would really like to know how PFsense+ made it to RC status, and nobody even tested IPv6.

Clearly that is not true.

IPv6 is working fine for me and many, many others. The only thing I've seen the IPv6 gatewau monitoring issue but that does not prevent v6 connectivity.
If your particular IPv6 setup is not working in 21.02/2.5 then open a thread about it to diagnose it. If it's a bug open a bug report so we can get it fixed.

Steve

KB8DOA

@stephenw10 said in To 2.5.0 or not ? that is the question :):

@kb8doa said in To 2.5.0 or not ? that is the question :):

I would really like to know how PFsense+ made it to RC status, and nobody even tested IPv6.

Clearly that is not true.

IPv6 is working fine for me and many, many others. The only thing I've seen the IPv6 gatewau monitoring issue but that does not prevent v6 connectivity.
If your particular IPv6 setup is not working in 21.02/2.5 then open a thread about it to diagnose it. If it's a bug open a bug report so we can get it fixed.

Steve

At the time that I applied the RC21, there was no way of me to know that a "bug" was preventing the IPv6 Gateway detection/monitoring.
If I would have known, I could have just manually disabled the monitoring to allow the interface to function...

So are you saying that all testing of RC21 ironically involved users that had static IPv6 setups?
I am just trying to wrap my head around how the the software progressed to RC with such a showstopper?
Or did I miss a release note that specifically instructed us to disable Gateway Monitoring for IPv6?

stephenw10

The only thing that is not working there is the monitoring itself. dpinger fails to select the monitoring target. You can set one manually and it's fine.
In either case it does not actually affect v6 connectivity. Or did not for me at least.
https://redmine.pfsense.org/issues/11454

Steve