To 2.5.1 or not ? that is the question :)

chudak

@qinn said in To 2.5.1 or not ? that is the question :):

@chudak It's rather easy, first you create the snapshots. In the beginning snapshot are 0MB. They will grow with every change. Then upgrade to let's say 2.5.0 and after the upgrade they will have "kinda" the size of a complete pfSense installation, as everything has changed due to the upgrade and the snapshot "saves" all the changes. When you rollback (that's how a restore is called) all is back as to the moment the snapshots were created.

Sounds good !
I've started a small VM to test and installed 2.5.1 on zfs

Do you know command lines how to test it ?

AKEGEC

I just want to warn people about downgrade to previous pfsense versions with current configuration settings, After you downgrade and restored using current backup configuration, make sure you check every settings. Some security Encryption settings could be changed to lowest security e.g. 512 bits to 256 or 128 bits.

I feel really sorry for users that experienced problems.

bingo600

@akegec said in To 2.5.1 or not ? that is the question :):

I just want to warn people about downgrade to previous pfsense versions with current configuration settings, After you downgrade and restored using current backup configuration, make sure you check every settings. Some security Encryption settings could be changed to lowest security e.g. 512 bits to 256 or 128 bits.

I feel really sorry for users that experienced problems.

Nice "warning"

To me it seems like you are referring to OpenVPN encryptopn settings or ???

And i suppose you are talking about restoring a config made on a 2.5.x system , onto a "clean" 2.4.5 ??

That post needs further explanation , please elaborate a bit.

/Bingo

Qinn

@chudak Good idea use a VM and take a look at

https://forum.netgate.com/topic/95148/pc-engines-apu2-experiences/577

chudak

@qinn said in To 2.5.1 or not ? that is the question :):

@chudak Good idea use a VM and take a look at

https://forum.netgate.com/topic/95148/pc-engines-apu2-experiences/577

Very useful, thx !

I tried a dry-run, commands worked, but it was not real as my VM is not fully setup as a router. But in general it seem like a worthwhile exercise to consider switch to zfs.

Docop2

On my side, as soon you try to do an install with a different ip or a different sub. it result into a 404 Not found -nginx error page. if leave and touch nothing and just put the psw.. look ok, but even after try to change the ip and it fail. Doing the exact same process as 2.4.5 or 2.5. So .. no 2.5 is the last working version.

TAC57

@yanik Did you get your port forwarding working in 2.5.1?

I'm having the same issues on port forwarding to my Synology box and Plex Server (FreeNAS box). :-(

To roll back from pfSense 2.5.1 to 2.5.0 can I just restore my 2.5.0 backup config file, or would I have to do a clean install of pfSense 2.5.0 first and then restore the 2.5.0 backup?

bingo600

@tac57
A roolback would always include a reinstall (format) , unless you are using ZFS w. snapshot.

AKEGEC

@docop2 de Winter is almost over, let's hope dev fix the bugs.

Yanik

@tac57 said in To 2.5.1 or not ? that is the question :):

@yanik Did you get your port forwarding working in 2.5.1?

I'm having the same issues on port forwarding to my Synology box and Plex Server (FreeNAS box). :-(

To roll back from pfSense 2.5.1 to 2.5.0 can I just restore my 2.5.0 backup config file, or would I have to do a clean install of pfSense 2.5.0 first and then restore the 2.5.0 backup?

No, 2.5.1 port forwarding doesnt work.
I reinstalled pfsense v2.4.5_1 with zfs instead of ufs to able to have snapshots before upgrades.

JustWantItToWork

Upgrade from 2.5.0 to 2.5.1 went quickly and mostly fine on my netgate RCC-VE 2440. I have a pretty basic setup with a few vlans and pfblocker. The only issue I noticed was that DNS was not working. A subsequent reboot solved that.

marvosa

My starting point was a working v2.5.0 install with no issues. Here is the sequence of events after upgrading to v2.5.1 this morning:

1. PFsense unable to route traffic after boot up.
2. Unable to ping google.com or 8.8.8.8 from PC
3. Bounced the DNS forwarder service, no change
4. Rebooted PFsense, no change
5. Still unable to ping google.com or 8.8.8.8 from PC
6. Verified PFsense itself can ping 8.8.8.8
7. Verified correct default gateway was selected
8. Rebooted PFsense a 2nd time, no change
9. Verified I am able to ping my L3 switch and PFsense, but unable to ping my WAN_DHCP gateway IP (i.e. cable modem)
10. Power cycled cable modem
11. We have Internet!

I've never had to bounce my cable modem with any other upgrades (including 2.4.5-p1 to 2.5.0), so it's unclear why a power cycle was needed after this latest upgrade from 2.5.0 to 2.5.1.

I would be cautious about any remote upgrades to this version. This would've been a disaster if I performed the upgrade remotely and wasn't on-site to troubleshoot the outage.

Gertjan

@marvosa
Let me redo you list :

1 PFsense unable to route traffic after boot up.
1a) does it have a WAN IP ? Is it a valid IP ? Does it have a gateway ? Are these addresses known / seen before.

I'll be looking at the DHCP client log. Checking if there was a dialog that looks 'normal' between the pfSense DHCP client, and the upstream DHCP server, where ever that may be.

Step 2 to 11 : sending a ping to some remote network, knowing there is no 'route' only proves there is no route.
Restarting DNS doesn't has anything to do with routes. When using IP addresses as 8.8.8.8, DNS functionality isn't used anyway. Also, if there is no 'route', DNS wouldn't work anyway.

Very true : Modem devices have most often nothing to set up, and should be transparent.
The reality is different : the most strange things are shown on this forum : modem that flap their NIX state several times during reboot or connection re negotiation. Or assign a RFC1918 while the connection isn't build yet.

After pfSEnse has been undergoing a major update, a planned reboot is part of the 'validation process'. Just to be sure that, if it reboots in your absence, things land on their feeds.

It's hard to say what happened in your case, but it could be something like this :
Updating pfsense to 2.5.0 needs a kernel update. To do this, it needs to reboot to load the new kernel. The reboot will take you pfSense WAN NIC down for a moment. The mdoem sees this, and act upon that event, like : a upstream re negotiation.
pfSense boots fast, the modem is (to) slow to open a new connection to the ISP. The pfSense WAN DHCP client repeats over an over a DHCP DISCOVER. This request never reaches the upstream DHCP server : the question is why this dead lock situation exists - why it is created ?
Many modems (ISPs) have their own explanation. This forum has many examples about modems not being very cooperative.
To work out something that works for every situation, the pfSense DHCP client has some 'advanced' options could be very useful.

Alanesi

I cannot access my local servers from the internet after the update to 2.5.1 while it was working before the update.
I have checked the firewall but nothing blocked. No changes on the port forwarding.
I can access Pfsense from the internet using HTTPS but not my local server which using HTTP.

Gertjan

@alanesi said in To 2.5.1 or not ? that is the question :):

I can access Pfsense from the internet using HTTPS

To make that work, you need a firewall rule on the WAN interface.

@alanesi said in To 2.5.1 or not ? that is the question :):

but not my local server which using HTTP

To make that work, you need a NAT rule.

To make it work again, you need to do some step by step NAT troubleshooting.
Can't tell you nothing because you told us close to nothing.

2 details :
Opening your https pfSense webserver to the Internet should be IP limited. Normally, its just is not done.
The IP you use to connect to the pfSense from the outside (you do connect from the outside, aren't you ?) indicates that you use the right IP.

edit :

A real example :

I have a 'DiskSation' (Synology NAS) living on my LAN. It has IPv4 192.168.1.33
pfSense has 192.168.1.1/24.

The HTTPS access of a DiskSation, by default, is 5001.

I added this NAT rule to pfSense :

and now I can access - from anywhere from the Internet, my DiskSation using https://myip.tld

Because I'm PATting from 443 to 5001 in pfSense, I t all works right away **

** That is : I also had to NAT my upstream ISP router.

Alanesi

@gertjan I appreciate your prompt reply.

I have reviewed the configurations but still cannot find the issue.

cellobita

@yanik Current status, according to https://redmine.pfsense.org/issues/11805:

• The bug with NAT not working on non-default gateways exists, and has been fixed;

• However, the patch involves an issue in the kernel, so it is not possible to patch it in-place.

• It will be included in the next release, but no, they do not know when that will be.

• From the amount of "I'm experiencing this too" posts there that have been periodically removed by jimp, it seems fairly widespread - I hope that this means that there'll be an interim release prior to 2.6.0, which is far in the future.

Gertjan

@cellobita said in To 2.5.1 or not ? that is the question :):

From the amount of "I'm experiencing this too" posts there that have been .....

Not enough as you can see.

Cool_Corona

@alanesi Your doing it wrong.

http -> http on wan ports and forwarded to http redirect to internal server

Gertjan

@cool_corona

Yeah, the port range, from 80 to 82 :

If the port range is needed he would be needing it, I guess.