Any pfBlocker issues with Upgrade from 2.4.5 to 2.5.x?

guardian

I'm just getting around to planning an upgrade from 2.4.5 to 2.5.2, and I'm wondering if I'm likely to experience any issues with pfBlockerNG (2.x series, not the 3.x dev)? Any feedback would be much appreciated.

Gertjan

@guardian said in Any pfBlocker issues with Upgrade from 2.4.5 to 2.5.x?:

pfBlockerNG (2.x series, not the 3.x dev)

The 2.x is more or less totally non-supported. It was ages when it received it's last update.
Functionality isn't added at all for along time.
I guess, as it still exists under 2.5.2, because there are no security issues and it "still works".
If there was a major issue, the author would probably just pull the plug on it.

The 3.x is used by thousands and actually left the 'dev' state many versions ago.

All this is IMHO of course?

SteveITS

@guardian We have been using pfBlocker-devel for a couple years now because we couldn't get the MaxMind key to work on the original. One issue with it is that during package installation/upgrade unbound can stop so you need to start it to have DNS working again. That's just during the install though. And by my vague understanding/recollection isn't fixable by pfBlocker, it's an issue with unbound in pfSense somehow, interacting with the installation process.

Otherwise have not had any issues with upgrading but I normally follow Netgate's advice to uninstall packages, upgrade, and reinstall packages. (which, notably, can prevent pfBlocker aliases from working during the upgrade)

guardian

@gertjan said in Any pfBlocker issues with Upgrade from 2.4.5 to 2.5.x?:

@guardian said in Any pfBlocker issues with Upgrade from 2.4.5 to 2.5.x?:

pfBlockerNG (2.x series, not the 3.x dev)

The 3.x is used by thousands and actually left the 'dev' state many versions ago.

@gertjan Thanks for the reply. Just wondering if it still stays "dev" in the package list on a fully up-to-date system? It would be nice if the author could change that if it's really stable.

@steveits said in Any pfBlocker issues with Upgrade from 2.4.5 to 2.5.x?:

@guardian We have been using pfBlocker-devel for a couple years now because we couldn't get the MaxMind key to work on the original. One issue with it is that during package installation/upgrade unbound can stop so you need to start it to have DNS working again. That's just during the install though. And by my vague understanding/recollection isn't fixable by pfBlocker, it's an issue with unbound in pfSense somehow, interacting with the installation process.

Otherwise have not had any issues with upgrading but I normally follow Netgate's advice to uninstall packages, upgrade, and reinstall packages. (which, notably, can prevent pfBlocker aliases from working during the upgrade)

@steveits Thanks for this... Just for clarity, would it be a good idea to backup the config (which I would do regardless), uninstall the packages, run the upgrade, and restore the config? Would that get me back to where I was before the upgrade?

SteveITS

@guardian said in Any pfBlocker issues with Upgrade from 2.4.5 to 2.5.x?:

would it be a good idea to backup the config (which I would do regardless), uninstall the packages, run the upgrade, and restore the config

pfBlocker (and most other packages) by default will retain the config. There is a Keep Settings option on the General tab: "With 'Keep settings' enabled, pfBlockerNG will maintain run state on Installation/Upgrade." pfBlockerNG-devel will import settings from pfBlockerNG. There should be no need to restore the entire pfSense configuration.

guardian

@steveits said in Any pfBlocker issues with Upgrade from 2.4.5 to 2.5.x?:

@guardian said in Any pfBlocker issues with Upgrade from 2.4.5 to 2.5.x?:

would it be a good idea to backup the config (which I would do regardless), uninstall the packages, run the upgrade, and restore the config

pfBlocker (and most other packages) by default will retain the config. There is a Keep Settings option on the General tab: "With 'Keep settings' enabled, pfBlockerNG will maintain run state on Installation/Upgrade." pfBlockerNG-devel will import settings from pfBlockerNG. There should be no need to restore the entire pfSense configuration.

@steveits My reasoning was not just about pfBlockerNG--I was thinking that it would be a lot easier than having to remember everything that I had installed and go one-by-one with the reinstallation. Uninstall everything, then upgrade from 2.4.5-p1->2.5.2, and then restore the config. IIUC That would force a installation of all the packages that I had before the upgrade?

Since I want to reinstall pfBlocker, I could save another copy of the config after removing pfBlocker and then uninstall everything else.

Am I missing something, or is this a good procedure to follow?

SteveITS

@guardian There's normally no reason to backup/restore with an upgrade unless you're intending to format and reinstall. Netgate recommends removing packages.

Restoring a config with packages will install the packages if they're not installed.

Gertjan

@steveits said in Any pfBlocker issues with Upgrade from 2.4.5 to 2.5.x?:

Netgate recommends removing packages

I like to add :
When all packages are removed, reassure that basic firewall operations are good. Add a 24 hours cool down and one or two reboots are also advisable. Issues that are present before an upgrade will pop up, and have to be dealt with before the upgrade.