1. Home
  2. pfSense® Software
  3. Installation and Upgrades
  4. Can't update pfSense 2.3.3 when only LAN-port is connected

Can't update pfSense 2.3.3 when only LAN-port is connected

  • H

    Dear forum-members,

    I have 2 pfsense-boxes in my network: one as a production-firewall, one as a standby-firewall. The standby-firewall is updated frequently with the config from the production-firewall, so in case of a problem we can switch to the standby-firewall immediately.

    The standby-firewall is only connected with the LAN-interface, the WAN-interface gets only connected when switching from prod-firewall to standby-firewall.

    I would like to upgrade the standby-firewall with the latest pfsense-release, but the standby-firewall can't update, in the dashboard it says: "Unable to check for updates".

    I have configured a default gateway on the standby-pfsense to the prod-pfsense, so it has internet-access. Under diagnostics I can ping www.google.com for example.

    Any suggestions how I can update without the WAN-interface connected?

    0
  • KOM

    If you have a primary and standby, why not configure them in an HA arrangement?

    https://docs.netgate.com/pfsense/en/latest/highavailability/index.html

    0
  • H

    I'm planning to set-up a configuration with HA, but for now I would like to test the pfsense-update on the standby-firewall with LAN only.
    Any suggestions are appreciated.

    0
  • A

    Depending on how "locked-up" and secure your production network is, you could simply plug the WAN from the standby into an open/available port on your production LAN network. Again, depending on how your network is config'd, this might be just fine, or maybe not. That would get the standby box internet access, then simply plug a laptop into the standby box LAN port and you should be able to update thru the webGUI all you want.

    Are you the only person in IT there, or do you have a department? If you've got a department, pass it by them and see what they say. If you've got all sorts of restrictive corporate network policies, the above instructions may be forbidden.

    Jeff

    0
  • H

    Thanks for the suggestion Jeff, that might work. Then I would have to temporarily change the WAN-IP to a IP in the LAN-segment and see if the update runs that way, and after update change the IP back to the WAN IP.

    I'm going to try it, but I'm still a bit puzzled that internet-access is working fine when using the right gateway for the LAN-port, but the update-process won't work that way...

    0 A 1 Reply
  • A

    @hans70

    If your LAN hands out DHCP addresses, with no funny DNS or routing going on behind the scenes, you can temporarily set your standby WAN port to grab a DHCP address from production LAN. Then, when you're done, switch standby WAN back to it's original settings.

    Jeff

    0
  • stephenw10
    Netgate Administrator

    It will conflict with the existing LAN subnet on the standby box if it has the same config as the main firewall.

    If both LANs are connected setting a temporary gateway as the main firewall LAN interface and making it default should work. Check it really is the default route in Diag > Routes.

    Try running the update from the command line, menu option 13. What error does it show?

    Steve

    0
  • H

    Both boxes have the same config, except for the LAN IP: the prod-box has 172.29.0.1, the standby-box has 172.29.0.100

    On the standby-box I have added a temporary gateway to 172.29.0.1, from the standby-box I can ping www.google.com for example, but updates don't work.

    If I try option 13 from the standby-box, it says:

    Updating repositories metadata...
    No active remote repositories configured.

    Ping via option 7 works:

    Enter a host name or IP address: www.google.com

    PING www.google.com (216.58.212.132): 56 data bytes
    64 bytes from 216.58.212.132: icmp_seq=0 ttl=56 time=3.167 ms
    64 bytes from 216.58.212.132: icmp_seq=1 ttl=56 time=3.142 ms

    0
  • H

    I was able to update the standby-box the following way (more or less by accident...):

    System / Update / Update Settings: I switched the branch a few times, saving the settings in between.

    Suddenly I noticed that the available branch-options changed, instead of 2.3 options 2.4.x options became available. But when I tried to update from the GUI still no success. However: when I connected via SSH, this time option 13 "Update from console" worked!

    I'm now on 2.4.4-RELEASE-p2 and everything looks normal....

    0
  • stephenw10
    Netgate Administrator

    Ah, great. Coming from 2.3.4 or earlier can be a bit sketchy. There are several repo and upgrade package updates that need to apply before you see the 2.4.X updates.
    Glad you were able to resolve it.

    Steve

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy