Can't update pfSense 2.3.3 when only LAN-port is connected

  • Dear forum-members,

    I have 2 pfsense-boxes in my network: one as a production-firewall, one as a standby-firewall. The standby-firewall is updated frequently with the config from the production-firewall, so in case of a problem we can switch to the standby-firewall immediately.

    The standby-firewall is only connected with the LAN-interface, the WAN-interface gets only connected when switching from prod-firewall to standby-firewall.

    I would like to upgrade the standby-firewall with the latest pfsense-release, but the standby-firewall can't update, in the dashboard it says: "Unable to check for updates".

    I have configured a default gateway on the standby-pfsense to the prod-pfsense, so it has internet-access. Under diagnostics I can ping for example.

    Any suggestions how I can update without the WAN-interface connected?

  • If you have a primary and standby, why not configure them in an HA arrangement?

  • I'm planning to set-up a configuration with HA, but for now I would like to test the pfsense-update on the standby-firewall with LAN only.
    Any suggestions are appreciated.

  • Depending on how "locked-up" and secure your production network is, you could simply plug the WAN from the standby into an open/available port on your production LAN network. Again, depending on how your network is config'd, this might be just fine, or maybe not. That would get the standby box internet access, then simply plug a laptop into the standby box LAN port and you should be able to update thru the webGUI all you want.

    Are you the only person in IT there, or do you have a department? If you've got a department, pass it by them and see what they say. If you've got all sorts of restrictive corporate network policies, the above instructions may be forbidden.


  • Thanks for the suggestion Jeff, that might work. Then I would have to temporarily change the WAN-IP to a IP in the LAN-segment and see if the update runs that way, and after update change the IP back to the WAN IP.

    I'm going to try it, but I'm still a bit puzzled that internet-access is working fine when using the right gateway for the LAN-port, but the update-process won't work that way...

  • @hans70

    If your LAN hands out DHCP addresses, with no funny DNS or routing going on behind the scenes, you can temporarily set your standby WAN port to grab a DHCP address from production LAN. Then, when you're done, switch standby WAN back to it's original settings.


  • Netgate Administrator

    It will conflict with the existing LAN subnet on the standby box if it has the same config as the main firewall.

    If both LANs are connected setting a temporary gateway as the main firewall LAN interface and making it default should work. Check it really is the default route in Diag > Routes.

    Try running the update from the command line, menu option 13. What error does it show?


  • Both boxes have the same config, except for the LAN IP: the prod-box has, the standby-box has

    On the standby-box I have added a temporary gateway to, from the standby-box I can ping for example, but updates don't work.

    If I try option 13 from the standby-box, it says:

    Updating repositories metadata...
    No active remote repositories configured.

    Ping via option 7 works:

    Enter a host name or IP address:

    PING ( 56 data bytes
    64 bytes from icmp_seq=0 ttl=56 time=3.167 ms
    64 bytes from icmp_seq=1 ttl=56 time=3.142 ms

  • I was able to update the standby-box the following way (more or less by accident...):

    System / Update / Update Settings: I switched the branch a few times, saving the settings in between.

    Suddenly I noticed that the available branch-options changed, instead of 2.3 options 2.4.x options became available. But when I tried to update from the GUI still no success. However: when I connected via SSH, this time option 13 "Update from console" worked!

    I'm now on 2.4.4-RELEASE-p2 and everything looks normal....

  • Netgate Administrator

    Ah, great. Coming from 2.3.4 or earlier can be a bit sketchy. There are several repo and upgrade package updates that need to apply before you see the 2.4.X updates.
    Glad you were able to resolve it.


Log in to reply