Noob question: How do you decide when to upgrade your pfSense?

  • I'm new to pfSense.  Been running v2.3.3 for about a month on a dedicated Protectli box.  Working well in my home network.  How do you all decide to upgrade to a new version?  Are new versions typically pretty safe or does it pay to wait for an incremental release?


  • LAYER 8 Global Moderator

    I have always upgraded as soon as new version comes out or even just a p1 for example.  Especially if on a home network - new version available, update would be my suggestion.  I am currently running 2.4 beta and update every few days to current snap.

    Take a backup of your config and pull the trigger!

  • I do a bit of a "waterfall" immediately the release is available:

    1. Upgrade a test VM on VirtualBox in my laptop - zero pain option that verifies the general upgrade process

    2. Upgrade at home

    3. Upgrade a spare at the office (multiple spares if I have different sets of spare hardware matching production installs)

    4. Upgrade the office where I am (usually around 24 to 48 hours after the upgrade is available)

    5. Remotely upgrade offices that are "within reasonable distance/tie to get to" 1-by-1 and make sure they come back online, VPNs come back up to the main office.

    At this point I have good confidence that:

    • the general upgrade works
    • inter-office VPN functionality works (i.e. I will be able to get back in remotely and deal with any little things)
    • the new version boots and runs OK on the different hardware we have grown to have over the years
    1. Remotely upgrade other offices that will be a pain to get to if they do not come back!

    *** And always make sure you have a current config backup where you can get to it easily before doing anything ***

  • There are many views on upgrading…. I will share with you my general approach (Synology, Android, etc...)

    I currently still don't own a pfSense box  ??? :D

    Assuming it's only for home use, you don't have big secrets to protect, pfSense is not your full time hobby, you are not an active pfsense user in the community, you don't have a job in network routing domain and you don't want to spend too much time updating a router box.

    Below is my order (1st being the highest priority)

    1. ASAP if there is a major exploits or vulnerabilities that is trending online (e.g. Read on Apache struts)
    2. pfSense released a patch version that fixes a bug affecting you directly (feature) or indirectly (performance, high cpu or memory leaks)
    3. When pfSense release a minor version you really require (feature, performance)
    4. When your version is no longer supported, might be time to upgrade (if time permits)
    5. Major version changes, hardware supports it, it's time to upgrade to keep up  (if time permits)

Log in to reply