Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can't update pfSense 2.3.3 when only LAN-port is connected

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    10 Posts 4 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      Hans70
      last edited by

      Dear forum-members,

      I have 2 pfsense-boxes in my network: one as a production-firewall, one as a standby-firewall. The standby-firewall is updated frequently with the config from the production-firewall, so in case of a problem we can switch to the standby-firewall immediately.

      The standby-firewall is only connected with the LAN-interface, the WAN-interface gets only connected when switching from prod-firewall to standby-firewall.

      I would like to upgrade the standby-firewall with the latest pfsense-release, but the standby-firewall can't update, in the dashboard it says: "Unable to check for updates".

      I have configured a default gateway on the standby-pfsense to the prod-pfsense, so it has internet-access. Under diagnostics I can ping www.google.com for example.

      Any suggestions how I can update without the WAN-interface connected?

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        If you have a primary and standby, why not configure them in an HA arrangement?

        https://docs.netgate.com/pfsense/en/latest/highavailability/index.html

        1 Reply Last reply Reply Quote 0
        • H
          Hans70
          last edited by

          I'm planning to set-up a configuration with HA, but for now I would like to test the pfsense-update on the standby-firewall with LAN only.
          Any suggestions are appreciated.

          1 Reply Last reply Reply Quote 0
          • A
            akuma1x
            last edited by

            Depending on how "locked-up" and secure your production network is, you could simply plug the WAN from the standby into an open/available port on your production LAN network. Again, depending on how your network is config'd, this might be just fine, or maybe not. That would get the standby box internet access, then simply plug a laptop into the standby box LAN port and you should be able to update thru the webGUI all you want.

            Are you the only person in IT there, or do you have a department? If you've got a department, pass it by them and see what they say. If you've got all sorts of restrictive corporate network policies, the above instructions may be forbidden.

            Jeff

            1 Reply Last reply Reply Quote 0
            • H
              Hans70
              last edited by

              Thanks for the suggestion Jeff, that might work. Then I would have to temporarily change the WAN-IP to a IP in the LAN-segment and see if the update runs that way, and after update change the IP back to the WAN IP.

              I'm going to try it, but I'm still a bit puzzled that internet-access is working fine when using the right gateway for the LAN-port, but the update-process won't work that way...

              A 1 Reply Last reply Reply Quote 0
              • A
                akuma1x @Hans70
                last edited by

                @hans70

                If your LAN hands out DHCP addresses, with no funny DNS or routing going on behind the scenes, you can temporarily set your standby WAN port to grab a DHCP address from production LAN. Then, when you're done, switch standby WAN back to it's original settings.

                Jeff

                1 Reply Last reply Reply Quote 0
                • stephenw10S
                  stephenw10 Netgate Administrator
                  last edited by stephenw10

                  It will conflict with the existing LAN subnet on the standby box if it has the same config as the main firewall.

                  If both LANs are connected setting a temporary gateway as the main firewall LAN interface and making it default should work. Check it really is the default route in Diag > Routes.

                  Try running the update from the command line, menu option 13. What error does it show?

                  Steve

                  1 Reply Last reply Reply Quote 0
                  • H
                    Hans70
                    last edited by Hans70

                    Both boxes have the same config, except for the LAN IP: the prod-box has 172.29.0.1, the standby-box has 172.29.0.100

                    On the standby-box I have added a temporary gateway to 172.29.0.1, from the standby-box I can ping www.google.com for example, but updates don't work.

                    If I try option 13 from the standby-box, it says:

                    Updating repositories metadata...
                    No active remote repositories configured.

                    Ping via option 7 works:

                    Enter a host name or IP address: www.google.com

                    PING www.google.com (216.58.212.132): 56 data bytes
                    64 bytes from 216.58.212.132: icmp_seq=0 ttl=56 time=3.167 ms
                    64 bytes from 216.58.212.132: icmp_seq=1 ttl=56 time=3.142 ms

                    1 Reply Last reply Reply Quote 0
                    • H
                      Hans70
                      last edited by

                      I was able to update the standby-box the following way (more or less by accident...):

                      System / Update / Update Settings: I switched the branch a few times, saving the settings in between.

                      Suddenly I noticed that the available branch-options changed, instead of 2.3 options 2.4.x options became available. But when I tried to update from the GUI still no success. However: when I connected via SSH, this time option 13 "Update from console" worked!

                      I'm now on 2.4.4-RELEASE-p2 and everything looks normal....

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S
                        stephenw10 Netgate Administrator
                        last edited by

                        Ah, great. Coming from 2.3.4 or earlier can be a bit sketchy. There are several repo and upgrade package updates that need to apply before you see the 2.4.X updates.
                        Glad you were able to resolve it.

                        Steve

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.