Upgrade from 2.2.6 - CARP, Multiple CA's, Lots of Users, Numerous Packages.

  • Hi all,

    Guess i'm just looking for a bit of advice really.

    Got two fairly identical bits of hardware running pfsense 2.2.6 with various packages from the available repositories at the time.

    These are in a CARP setup which has been tested and still works fantastically.

    Now its been a number of years since anything other than package updates and routine changes were made as when 2.3 was announced nobody wanted to change something that just worked. If it isnt broke…. don't fix it.

    This is arguably still the case, but i'm sure there are various security updates that are required.

    Anyway enough blurb, i've read the upgrade guide/faq etc, the fact is these machines cannot afford to be down for more than a few hours at best and preferably not more than an hour.

    So I'm looking for the best way to backup, Users and Certs, any advice on backing up the 2 CA's that have been created on here (i see the certs etc don't come accross with the backup xml). How does this upgrade affect a CARP setup? Can I leave one machine running (i.e failover) disconnect the other and reset up the CARP again later after the master (or new master) is ready to go in.

    Just looking for the advice of anyone that has done this as the original update to 2.3 didn't look too friendly when released so it was pretty much just left alone.

    Appreciate I haven't gone into too much detail on specifics here, I'm more looking for how people got on with the upgrade, if they used CA's how did they back these up, how did they backup users+individual certs, if they had to reinstall...how much of a pain was that.



  • LAYER 8 Netgate

    If you have done it in the GUI it will be in the config.xml.

    If you have done things outside of the GUI then you are pretty much on your own.

    The general procedure is to upgrade the secondary and thoroughly examine it after. If it looks good, then enter persistent maintenance mode on the primary to swing traffic over. If there is a problem, leave maintenance mode to swing the traffic back. You will be right where you were before since you haven't yet changed the primary.

    After running on the secondary until satisfied, upgrade the primary and leave maintenance mode, moving traffic back to the primary.

    A third system to test on the bench is even better.

    What packages?

  • Great advice, Thanks for that.

    Yes, done everything through the GUI and I've looked over the packages, other than spamd there doesn't appear to be too much of an issue package wise.

    I will export config.xml and also export the certs out as a precaution as well.

    Again many thanks.

  • LAYER 8 Netgate

    Also have a reinstallation image for the version you are coming from available along with config backups of both nodes.

Log in to reply