PfSense double install for maintenance failback

hypercene

The front door for my home network is a single pfSense firewall on a dedicated headless PC running with two load balanced WANs and one LAN. I built it with pfSense 2.1.4 on a 58G SSD. It's running just fine - but of course that's an elderly build and I really ought to be updating. On the other hand, it ain't broke so I'm very wary of "fixing" it.

I don't have spare hardware to swap in, or even to test with, so I'm having to be careful as domestic crisis point will occur within minutes of internet deprivation.

What I want is to set up two matching bootable copies of pfSense on the SSD, so that I can pick either one as the image to boot. Then I could upgrade one copy of pfSense and failback instantly if it all goes wrong.

My first question: "is this even possible?"

From memory and what have read recently, the pfSense installation process seems to be oriented around a clean build - so is this likely to override any partitioning and setup I do?

Assuming it's not completely hopeless, I'm trying to sort out the boot process - which ideally I'd like to be software-settable rather than having to attach a keyboard (especially as I'm having trouble with USB keyboards during the boot phase on this box … another story!)

So far I've attached and partitioned a USB HDD to use to emulate my target setup and to act as a temporary drive while the SSD is rebuilt. I set up MBR for the whole (465G) disk and two small BSDs within that, similar to the size I expect to get for each on the SSD. As far as I can see, MBR seems to be what pfSense prefers.

[pfSense]: ~ # gpart show
=>      63  123091857  ad4  MBR  (58G)
        63  123091857    1  freebsd    (58G)

=>        0  123091857  ad4s1  BSD  (58G)
          0        16        - free -  (8.0k)
        16  114703233      1  freebsd-ufs  (54G)
  114703249    8388608      2  freebsd-swap  (4.0G)

=>      63  976773105  da0  MBR  (465G)
        63  60817365    1  freebsd  (29G)
  60817428  60817365    2  freebsd    (29G)
  121634793  855138375      - free -  (407G)

=>      0  60817365  da0s1  BSD  (29G)
        0      1985        - free -  (992k)
      1985  50331648      1  freebsd-ufs  (24G)
  50333633  8388608      2  freebsd-swap  (4.0G)
  58722241  2095124        - free -  (1G)

=>      0  60817365  da0s2  BSD  (29G)
        0      2028        - free -  (1M)
      2028  50331648      1  freebsd-ufs  (24G)
  50333676  8388608      2  freebsd-swap  (4.0G)
  58722284  2095081        - free -  (1G)

I've a feeling I've got the partition boundaries a bit wrong - but at least I can:
  mount /dev/da0s1a /mnt
(or da0s2a) and rsync files to it - which would work fine for my process. I could mount the failover image onto the live one and rsync before starting an upgrade, and if there's a problem I just reboot and flip to the other image.

Can't figure out quite how to make these images bootable - I've done
  gpart bootcode -b /boot/boot0 da0
  gpart bootcode -b /boot/boot da0s1
  gpart bootcode -b /boot/boot da0s2
which I thought was enough - it might even be correct: my keyboard issue means I can see the boot0 prompt to press F5 to boot from my other disk but can't select it. I'd like to be able to script the default boot device anyway.

TL/DR: Two main questions (for now…)
1. Is it possible to set up two copies of pfSense on two disk partitions and pick which one I want to boot?
2. Can I set the boot drive and partition from a command (or config file) before I reboot?