To 2.5.1 or not ? that is the question :)

miken58b

Hi all

I'm generally used to pfSense updates running smoothly so was rather surprised when the dedicated router PC failed to reboot after applying the 2.5.1 update. I plugged a monitor in and could see the load stalled with "Can't find /boot/entropy". A Google search revealed this to be a common problem relating to legacy v UEFI disc formatting. I guess this was perhaps a problem waiting to happen but I'm puzzled as to why this update triggered the requirement to be UEFI compliant. If it were known that this was a 'feature' of the update some advance warning would have been appreciated....

I run pfSense on a dedicated cheap Mini-ITX PC. The American Megatrends BIOS doesn't have the option to force legacy boot format. I put a spare hard drive in the machine and downloaded 2.5.1 onto a memory stick. On booting the memory stick I got the same "Can't find /boot/entropy" issue. I then discovered the BIOS has an interactive boot option menu and selecting the UEFI option for the memory stick allowed it to load correctly. I then did an install onto the gash disc making sure I specified UEFI and went on to use the config.xml saved from the time of the 2.5.0 release. I regret NOT taking a config backup before attempting the 2.5.1 upgrade. I won't make that mistake again. Luckily such changes as I've made since 2.5.0 are not devastating to do again. The ability to restore the config from backup is awesome.

The fresh install of 2.5.1 now boots without manual interaction using UEFI / gpt.

I don't pretend to understand all that's gone on and feel I have just blundered through to a solution. I would love to be able to convert the original disc with the non-booting 2.5.1 on it to UEFI (and mbr to gpt) but I haven't found a simple recipe for achieving that. I don't assume plugging the disc into a Windows 10 machine and using mbr2gpt.exe will produce something FreeBSD will work with although it might be worth a try.

Had I started out with a UEFI compatible disc I suspect none of my problems would have happened... Has to be written off to a 'learning experience' :).

Any got any comments??

Mike

Patch

@ciscox said in To 2.5.1 or not ? that is the question :):

Maybe it's time to report it. Make an bug-rapport. Can someone please add it on the bugtracker.

Has been done and apparently a fix is close https://redmine.pfsense.org/issues/11805

Also I find TLA distract from readability so in case anyone cares CAM manual page and a thread on common causes of errors

Bismarck

@miken58b That makes totally sense in my case. My pfSense hardware is BIOS/MBR, but the update converted it somehow to UEFI/GPT, thus leaving me with a unbootable system and just a fresh install fixed it.

Looks like the pfSense CE version needs a bit more attention...

pfnow

Successfully updated a VM (ESXi 6.7u3) and a physical pfSense CE from 2.5.0 to 2.5.1. No issues to report.

SteveITS

@waqar-uk said in To 2.5.1 or not ? that is the question :):

want to know if my untouched firmware ver 2.4.5 can be used to the latest package 2.5.1

You will need to format the drive before installing an old version so it does not matter what is installed now.

Packages will need to be installed again, but be sure to set pfSense to "previous stable version" per my signature before installing packages. Attempting to install packages for 2.5 on 2.4.5 will likely break things.

Qinn

@miken58b If you format it ZFS you can take a snapshot and in split second you would have been back into the same state as the snapshot was created, on 2.4.5-p1

Waqar.UK

@steveits

OK. Thanks. Shame really as I have firmware versions for 2.45 just saved after installing pfsense.

bingo600

Arrghhhh .....

You guyzz just cost me 2 new Samsung EVO 870 - 256GB disks for my two home pfsense(s)

I gotta try that ZFS snapshot feature.

And if i have to install 2.5.1 soon , i can just do it from scratch w. ZFS

/Bingo

chudak

@bingo600 said in To 2.5.1 or not ? that is the question :):

Arrghhhh .....

You guyzz just cost me 2 new Samsung EVO 870 - 256GB disks for my two home pfsense(s)

I gotta try that ZFS snapshot feature.

And if i have to install 2.5.1 soon , i can just do it from scratch w. ZFS

/Bingo

So I guess the steps would be:

fresh pfSense 2.x.x install
make sure zfs selected
restore pfSense back up

and then what? how do you create and restore zfs snapshots of pfSense?

bingo600

@chudak

I hope like this

https://www.freebsd.org/cgi/man.cgi?zfs

https://danielisz.wordpress.com/2018/04/14/zfs-snapshot-on-freebsd/
https://danielisz.wordpress.com/2018/04/20/zfs-snapshot-on-freebsd-part-2/

https://www.maketecheasier.com/use-zfs-snapshots-clones/

/Bingo

chudak

@bingo600 said in To 2.5.1 or not ? that is the question :):

@chudak

I hope like this

https://www.freebsd.org/cgi/man.cgi?zfs

https://danielisz.wordpress.com/2018/04/14/zfs-snapshot-on-freebsd/
https://danielisz.wordpress.com/2018/04/20/zfs-snapshot-on-freebsd-part-2/

https://www.maketecheasier.com/use-zfs-snapshots-clones/

/Bingo

Thanks for the info !

Side note: you know every time I need to do anything with zfs I read very long complex explanations. Given that I am clueless about zfs, of cause... But should it be an easy, something like: run "blah-blah back-up" and then "blah-blah restore" ?! ( mumbling aloud :) )

bartkowski

I upgraded my SG-2440 without any issues (I disabled pfBlockerNG before).
I initiated the upgrade from GUI and then went to the store, came back, and it was done. Smooth.

Astraea

Well I tried the new 2.5.1 update and had to roll back again to 2.4.5-p1 as Open VPN clients to my VPN service would not connect and also my multi-WAN setup would not allow for the port forwards to work. I have read there are issues with both OpenVPN and with Multi-WAN setups since the release of 2.5

Trying to get onto 2.5 since its release but have to keep rolling back, my next move it to try a clean install at a later date but for now, I will have to stay on the older version

bingo600

@chudak
The only thing that gave me an issue w. ZFS on 2.4.5 , was that it "barfed" during install. That no disk was selcted.
Easy solved , just select the disk in the menu , before clikking proceed.

/Bingo

chpalmer

I had to add one of my interfaces back to my LAGG used for my WAN.

I had to go to each openVPN server config page and simply hit "save" to get my VPN's back up. I did not have to do this to any of the remote sites on the other end of the VPN's

Otherwise up and working.

Qinn

@chudak It's rather easy, first you create the snapshots. In the beginning snapshot are 0MB. They will grow with every change. Then upgrade to let's say 2.5.0 and after the upgrade they will have "kinda" the size of a complete pfSense installation, as everything has changed due to the upgrade and the snapshot "saves" all the changes. When you rollback (that's how a restore is called) all is back as to the moment the snapshots were created.

chudak

@qinn said in To 2.5.1 or not ? that is the question :):

@chudak It's rather easy, first you create the snapshots. In the beginning snapshot are 0MB. They will grow with every change. Then upgrade to let's say 2.5.0 and after the upgrade they will have "kinda" the size of a complete pfSense installation, as everything has changed due to the upgrade and the snapshot "saves" all the changes. When you rollback (that's how a restore is called) all is back as to the moment the snapshots were created.

Sounds good !
I've started a small VM to test and installed 2.5.1 on zfs

Do you know command lines how to test it ?

AKEGEC

I just want to warn people about downgrade to previous pfsense versions with current configuration settings, After you downgrade and restored using current backup configuration, make sure you check every settings. Some security Encryption settings could be changed to lowest security e.g. 512 bits to 256 or 128 bits.

I feel really sorry for users that experienced problems.

bingo600

@akegec said in To 2.5.1 or not ? that is the question :):

I just want to warn people about downgrade to previous pfsense versions with current configuration settings, After you downgrade and restored using current backup configuration, make sure you check every settings. Some security Encryption settings could be changed to lowest security e.g. 512 bits to 256 or 128 bits.

I feel really sorry for users that experienced problems.

Nice "warning"

To me it seems like you are referring to OpenVPN encryptopn settings or ???

And i suppose you are talking about restoring a config made on a 2.5.x system , onto a "clean" 2.4.5 ??

That post needs further explanation , please elaborate a bit.

/Bingo

Qinn

@chudak Good idea use a VM and take a look at

https://forum.netgate.com/topic/95148/pc-engines-apu2-experiences/577