Update 2.3.x without WAN access


  • Rebel Alliance Moderator

    Hi,

    as with the changes in update-handling that 2.3.x brought, is there a nice and clean way to upgrade systems "old-style" with a single update file without

    a) using a proxy (not possible)
    or
    b) reinstalling everything from scratch (not possible either in some places)

    I have been asked this question quite a lot since 2.3 came out from our customers as well as quite a few threads in the german forums, so it would be nice to have some more detailled answers. Another thing would be the question if it would be possible/do-able to create some sort of local mirror of the pfsense package repository (like a redhat or ubuntu package mirror) so you could use that to update a multitude of systems.

    Sometimes pfSense is used in very strict policied network locations so it would be nice to have an update method in place for that case, too.

    Greets



  • I also face this problem with a number of installations without internet access. It would be good to know if there is a solution, or if there are plans in working towards one?



  • +1 from me too

    This is what I was suggesting in a differen thread:@robi:

    +1 for a way to update systems offline!

    Scenarios when this is required:

    • when internal pfSense systems can't see the internet, only through proxy (like above)
    • when upgrading spare (second) hardware offline first, and replacing in production environment just by plugging the cables between the old and the new, to ensure minimal downtime and 100% working previous state

    I would imagine something like a utility to analyze the configuration first, and evaluate if it's possible or not to do the update offline (meaning: no direct internet connection available at the moment when the system boots up first time after the upgrade).
    For offline update, offer the possibility to download the package files somehow manually, and be able to give them to the firewall during the first boot after the update, to be able to finish it properly.
    Like a gzipped file containing all that's needed for package reinstallation, pretty much like Dropbox does.



  • Hi All

    I have the same issue, I have a VM which is running pfsense 2.3 and need to update to 2.3.1 however this particular firewall is in a secure environment and has no internet access. How can I perform an offline update, as this feature seems to be removed

    Thanks



  • Your only solution at the moment seems to be to create a new VM with exactly the same parameters (nics, networks etc) as the old one, install fresh from an ISO, create a backup config from the old one, power it off, power on the new one and restore the config.

    Beware that the new VM will have new virtual MAC addresses on each nic, you may want to copy the MAC addresses from the old VM, or better spoof the MAC addresses within pfSense's configuration first on the old machine, so that they will go along with the config to the new one…



  • Thanks for the response Robi.

    This is definitely not the most logical way to perform an upgrade.

    I do hope that pFsense adds this feature back in, like it was in previous versions.



  • create a new VM with exactly the same parameters (nics, networks etc) as the old one

    You can avoid that by:

    • take a snapshot of the real VM
    • save the config
    • put a copy of the snapshot somewhere that has internet access
    • do whatever it takes to actually get the snapshot internet access (e.g. switch its WAN to DHCP or…)
    • do the upgrade on the snapshot from the internet
    • restore the previous config back to the snapshot
    • copy the upgraded snapshot back off the internet, back in place of the old version VM that was running.

  • Rebel Alliance Moderator

    Hi Phil,

    as much as I appreciate your answer it isn't working. As I've already been told in many posts and direct conversations, pfSense is used in situations where there is NO possible WAN connectivity. Period. It's not that we aren't trying hard enough to get it there but a matter of various approaches like policies that do forbid direct connects or other hurdles. So if it is possible at all to create some thing like a small pfSense mirror, that could provide upgrade files to internal systems or simply a matter of using a live-medium to update the installation, that would be the solution to that problem. If we could e.g. fire up the USB/ISO version for let's say 2.3.2 and put it into a system running 2.3 and update it that way, that would be fine, too.

    Just a way to update without having an up and running WAN connection would be enough for those systems. Reinstalling isn't a viable solution in many of those cases.

    Greets



  • I'm all in.
    Facing this problem with at least half a dozen installs of mine. All islands (control network of banks, insurance companies, etc.)



  • @JeGr and others, yes I understand that there are situations where policy/security means that you are not allowed to connect the router to the public internet by any means at all (baks, defence…). Router software needs to be got in some controlled way, either a fully-built set of software from some trusted place, or the source code (again from a trusted place) and build it yourself. And then that authorized software can be taken into the internal network and applied to the devices.

    For that there really does need to be either an upgrade file (like there used to be), or some (relatively easy) way to bundle up the whole upgrade package server environment so that it can be moved into an internal network as needed and used there to serve upgrades to internal devices.


  • Rebel Alliance Moderator

    So I assume there's nothing in place for interested parties to mirror the official update repo into their infrastructure? Would there be a manual way or is that completely out of the ballpark and another solution is preferred?



  • Isn't there an upgrade image you can download on the main pfsense download page?



  • @mattlach:

    Isn't there an upgrade image you can download on the main pfsense download page?

    There we go:

    Does this upgrade image not do what I think it does?



  • That image is used on a "less than 2.3" system (1., 2.1., 2.2.) to upgrade to 2.3..
    Once you get to 2.3., then there is no longer any way to use that to apply further upgrades.
    And once 2.4 comes out, that upgrade image will no longer be even made. If you want to upgrade "manually" from (e.g.) 2.2.
    you will be able to use the last 2.3.* upgrade image. Then to get to 2.4 you will have to do it online.



  • @JeGr:

    Hi Phil,

    as much as I appreciate your answer it isn't working. As I've already been told in many posts and direct conversations, pfSense is used in situations where there is NO possible WAN connectivity. Period. It's not that we aren't trying hard enough to get it there but a matter of various approaches like policies that do forbid direct connects or other hurdles. So if it is possible at all to create some thing like a small pfSense mirror, that could provide upgrade files to internal systems or simply a matter of using a live-medium to update the installation, that would be the solution to that problem. If we could e.g. fire up the USB/ISO version for let's say 2.3.2 and put it into a system running 2.3 and update it that way, that would be fine, too.

    Just a way to update without having an up and running WAN connection would be enough for those systems. Reinstalling isn't a viable solution in many of those cases.

    Greets

    +1 for that



  • @phil.davis:

    And once 2.4 comes out, that upgrade image will no longer be even made. If you want to upgrade "manually" from (e.g.) 2.2.* you will be able to use the last 2.3.* upgrade image. Then to get to 2.4 you will have to do it online.

    Why?
    I don't see any benefit except for ESF being able to control who can get which image.
    What's wrong about having an upgrade or install stick to service existing installs or building a small system on the fly if need be?
    Sorry, this direction just doesn't feel right and seems unnecessary.



  • @jahonix:

    @phil.davis:

    And once 2.4 comes out, that upgrade image will no longer be even made. If you want to upgrade "manually" from (e.g.) 2.2.* you will be able to use the last 2.3.* upgrade image. Then to get to 2.4 you will have to do it online.

    Why?
    I don't see any benefit except for ESF being able to control who can get which image.
    What's wrong about having an upgrade or install stick to service existing installs or building a small system on the fly if need be?
    Sorry, this direction just doesn't feel right and seems unnecessary.

    This commit:
    Stop building full update images, users will need to reach 2.3 first and then go to newer versions
    https://github.com/pfsense/pfsense/commit/099570f2b28898f5f2d8c725c92add860fabfa0f
    I believe is where the implementation of the above starts.
    I have nothing to do with setting the policy or roadmap, I am just reporting what is happening in the GitHub repo(s).

    Can someone from ESF point us to an official "roadmap" or other announcement that has the proper details of the plan going forward, particularly for what install images, upgrade images and upgrade methods will be available from what version…?



  • @phil.davis:

    I have nothing to do with setting the policy or roadmap, I am just reporting what is happening in the GitHub repo(s).

    I am absolutely aware of that. Thanks!


Log in to reply