Stay at 2.4.5-p1 or go to 2.5.2?
-
Hi guys
what do you recommend at the moment?
thanks for your replies
-
@tohil said in Stay at 2.4.5-p1 or go to 2.5.2?:
Hi guys
what do you recommend at the moment?
Me? Update as soon as possible.
-
@slu I had some systems that didn't work well on 2.5.0 . At the time my only option in the field was to promote them to 2.6.0 .
I held the rest back and kept them on 2.4.5p1 until today. I have upgraded to 2.5.2 without any problems so will probably go back to those on 2.6.0 and change them to 2.5.2 also.
-
Update as soon as possible.
What are the attack vectors for 2.4.5-p1 in a SOHO environment if no VPN is being used?
-
@thiasaef said in Stay at 2.4.5-p1 or go to 2.5.2?:
What are the attack vectors for 2.4.5-p1 in a SOHO environment if no VPN is being used?
Read the release notes:
https://docs.netgate.com/pfsense/en/latest/releases/index.htmlLook like 2.4.5-p1 is still supported:
https://docs.netgate.com/pfsense/en/latest/releases/index.html#current-upcoming-supported-releasesBut the question was "what do you recommend at the moment?" without any information...
So whats the right answer...? -
So whats the right answer...?
I have read several times now that it would be unsafe to continue using 2.4.5-p1, but I don't see why. Therefore the question.
-
@thiasaef said in Stay at 2.4.5-p1 or go to 2.5.2?:
it would be unsafe to continue using 2.4.5-p1
By far, the most important factor is : what are you doing with your firewall / router / pfSense ?
The dangerous factor is and stays the "admin", and what he did with the firewall, how he set it up, what extra functionality he added.If it was me : use 2.5.2 right away. It wouldn't be surprised that this is version called "2.5.0" that we have been talking about for years.
-
@vmb said in Stay at 2.4.5-p1 or go to 2.5.2?:
I held the rest back and kept them on 2.4.5p1 until today. I have upgraded to 2.5.2 without any problems so will probably go back to those on 2.6.0 and change them to 2.5.2 also.
I spoke too soon. I am still having problems with unbound frequently stopping. I have also experienced the USB Ethernet adaptor disconnect twice today with only SSH traffic whereas it was totally reliable under a much heavier load on 2.4.5p1 just a day a go.
I will be moving up to 2.6.0 later today.
-
I have the same question. I tried updating my 7100 a month or so ago. Nothing worked. Couldn't even restore the config after reinstalling 2.4.5. Support had to alter the config to work. I want to upgrade but not if it's not going to work.
-
@bhjitsense said in Stay at 2.4.5-p1 or go to 2.5.2?:
7100
Netgate's 7100 ?
Didn't saw any messages from Netgate that says : ok for everybody except some of our own equipment.@bhjitsense said in Stay at 2.4.5-p1 or go to 2.5.2?:
Support had to alter the config to work
See https://docs.netgate.com/pfsense/en/latest/releases/versions.html
New revisions could change known parameter names and values (the meaning of the value).
Ok to go back to 2.4.5 - just used the last backed up config from that version.Upgrading pfSense, or importing an config revision that is (some what) older will work.
The other way : probably not without some manual editing. -
@gertjan yes, XG-7100
The config was known-good from 2.4.5 but didn’t work even after re-imaging 2.4.5. They had to change the update channel. It tried pulling down the package versions that don’t work in 2.4.5.
But anyway, I’m afraid of trying the upgrade again -
Any new recommendations for us stucked on 2.4.5-p1?
-
@tohil at the end of the day, you are the decision maker.
-
@tohil said in Stay at 2.4.5-p1 or go to 2.5.2?:
Any new recommendations for us stucked on 2.4.5-p1?
I don't get it.
First, you said :
@tohil said in Stay at 2.4.5-p1 or go to 2.5.2?:
what do you recommend at the moment?
and now you're stuck ?
If you live in a free country, do what @mr-rosh said : make up your mind and go for it.
-
@tohil I bought some extra used equipment to use to swap in for upgrades which allows me to preserve my current environment should I need to quickly return to it. The extra kit doubles up for emergency hardware swaps if I should need it. I am running 2.6.0 at the moment but I am testing the 'new' kit running 2.5.2 and will simply swap this hardware into my production environment soon.
My long term plan is to reduce my reliance on pfSense packages and moving those applications/services off pfSense and on to their own hardware, real or virtual in the DMZ. By doing so, I can easily backrev to a previous pfSense release after upgrade day as I wont have a dependency on a non-existent package repository.
It is a lot of work to install those services outside of pfSense. I lose the convenience of the pfSense packages, the GUI and the testing by others. But it is worth it to me to be free of the avoidable aggravation caused when Netgate removes the old package repo on upgrade day.
I am also considering returning to an old-school firewall layout with one pfSense as an external border firewall, and another as an internal firewall with a proper 'transport' DMZ network connecting the two. I will use a number of spur DMZ's from the internal pfSense for internal only services. In this type of setup, pfSense is easily replaceable but I have the exclusive burden of supporting it.
-
@gertjan
I’m certain what he means by stuck has little to do with freedom in his country and more to do with the upgrade not working out as expected, and the upgrade troubleshooting guide providing little to no guidance on the particular issue. -
@bhjitsense said in Stay at 2.4.5-p1 or go to 2.5.2?:
@gertjan
I’m certain what he means by stuck has little to do with freedom in his country and more to do with the upgrade not working out as expected, and the upgrade troubleshooting guide providing little to no guidance on the particular issue.What issues is he having? I went from 2.4.5-p1 to 2.5.1 to 2.5.2 and have had no issues. I'm probably not running the same addon packages as he is but without more information about what issues he is having or thinks he might have, no one but himself can make the decision that he wants some else to make for him.
-
@jdeloach said in Stay at 2.4.5-p1 or go to 2.5.2?:
What issues is he having?
You get my point.
I didn't saw any details.@bhjitsense I won't / can't discus the real reasons.
Me mentioning the "country" stands for "whatever reasons he has".
I'll respect any reason.But I want details, so I can can try to find real answers.
@bhjitsense said in Stay at 2.4.5-p1 or go to 2.5.2?:
I’m certain what he means by stuck ....
"He means" ? That's you filling in the blanks - like me ;)
I'm not sure your issue == his issue. -
Hi guys
before we go to political and law's per country, I will share some more details with you about my installation.
There have been a lot of concerns and issues when 2.5.x came out, because of that lot people still stays at 2.4.5.
I just want some personal experience feedback from the commmunity.
my box run these packages:
Avahi
haproxy
pfBlockerNG
openvpn-client-exportthanks
-
@tohil said in Stay at 2.4.5-p1 or go to 2.5.2?:
Avahi
haproxy
pfBlockerNG
openvpn-client-exportI never saw / used HAProxy but I use Avaha, pfBlockerNG and openvpn-client-export.
Go for 2.5.2 right now !!** But do take the classic precautions :
Mine are :
I've a USB stick ready with the current pfSense version.
I've my daily config file backups.
Before upgrading :
Inspect all log files, and look for less common messages.
Do a clean reboot of pfSense, and check if every service comes back operational.
If possible, check the entire boot up process from the console. Archive this 'console log'.
Check if the 'pkg' system is fully operational. That is, without actually typing Y (for yes), execute the commands from here Troubleshooting Upgrades and here Upgrade Guide.
Test for good DNS functionality.
Check disk space - processor load average.
All fine ?Take your coffe/the/whatever, shut down the GUI, use the console, and type
13and hit Enter.
Enjoy the ride.
Make photos (or better : have the log logged) if you see something you want to understand / ask about.I'm doing this very procedure for a decade or so, and it just works out.
Remember : If you know how to go forward, you know how to go backwards.
