Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Upgrade from 2.2.6 - CARP, Multiple CA's, Lots of Users, Numerous Packages.

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    4 Posts 2 Posters 729 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      nighthawk
      last edited by

      Hi all,

      Guess i'm just looking for a bit of advice really.

      Got two fairly identical bits of hardware running pfsense 2.2.6 with various packages from the available repositories at the time.

      These are in a CARP setup which has been tested and still works fantastically.

      Now its been a number of years since anything other than package updates and routine changes were made as when 2.3 was announced nobody wanted to change something that just worked. If it isnt broke…. don't fix it.

      This is arguably still the case, but i'm sure there are various security updates that are required.

      Anyway enough blurb, i've read the upgrade guide/faq etc, the fact is these machines cannot afford to be down for more than a few hours at best and preferably not more than an hour.

      So I'm looking for the best way to backup, Users and Certs, any advice on backing up the 2 CA's that have been created on here (i see the certs etc don't come accross with the backup xml). How does this upgrade affect a CARP setup? Can I leave one machine running (i.e failover) disconnect the other and reset up the CARP again later after the master (or new master) is ready to go in.

      Just looking for the advice of anyone that has done this as the original update to 2.3 didn't look too friendly when released so it was pretty much just left alone.

      Appreciate I haven't gone into too much detail on specifics here, I'm more looking for how people got on with the upgrade, if they used CA's how did they back these up, how did they backup users+individual certs, if they had to reinstall...how much of a pain was that.

      Thanks,

      Alex.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        If you have done it in the GUI it will be in the config.xml.

        If you have done things outside of the GUI then you are pretty much on your own.

        The general procedure is to upgrade the secondary and thoroughly examine it after. If it looks good, then enter persistent maintenance mode on the primary to swing traffic over. If there is a problem, leave maintenance mode to swing the traffic back. You will be right where you were before since you haven't yet changed the primary.

        After running on the secondary until satisfied, upgrade the primary and leave maintenance mode, moving traffic back to the primary.

        A third system to test on the bench is even better.

        What packages?

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • N
          nighthawk
          last edited by

          Great advice, Thanks for that.

          Yes, done everything through the GUI and I've looked over the packages, other than spamd there doesn't appear to be too much of an issue package wise.

          I will export config.xml and also export the certs out as a precaution as well.

          Again many thanks.

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Also have a reinstallation image for the version you are coming from available along with config backups of both nodes.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.