Grandpa's update. Updating from 2.1.5 to 2.4.4...
-
Hi all...
It is time to update our grandpas... 2 Pfsense in HA v2.1.5 to the latest v2.4.4...
Any feedback, please? would it work if i export the configuration from 2.1.5 and import it into a fresh 2.4.4?
There are many ways to do the update... but with such a big "version jump", which would be the most recommended way?Thanks!
Pedreteer
-
Remove all packages before attempting to export/import the config
-
@pedreter Just curious... what hardware are you running that old pfsense stuff on?
Jeff
-
I would verify your hardware will work with pfSense 2.4.4-p2 before going much further.
I would not update, I would install a fresh copy of pfSense, plan on some downtime in case things go wrong.
To see the full changelog, you will need to read from 2.1.5 through 2.4.4-p2: https://docs.netgate.com/pfsense/en/latest/releases/index.html#older-unsupported-releases
Short answer, You will need 64bit, and Nano is no longer supported.
You should follow this guide: https://docs.netgate.com/pfsense/en/latest/highavailability/redundant-firewalls-upgrade-guide.html
Review changelog/blog/upgrade guide
Take a backup from both nodes. Do not skip this step!
Upgrade secondary as described in the Upgrade Guide
Test secondary to be sure it is operating OK – expected packages present, services running, 5 no obvious errors in logs, etc
Switch CARP to maintenance mode on primary from Status > CARP
Ensure traffic is still flowing properly and that the network is functional. If it is not, then exit maintenance mode on the primary, fix the secondary then try again.Upgrade primary as described in the Upgrade Guide. I would deviate at this point and install a fresh from USB version that you just downloaded.
Once installed, I would restore the backup you made earlier for the primary.Check primary to ensure it upgraded OK – expected packages present, services running, no obvious errors in logs, etc
Exit maintenance mode on primary
Test againNow do the same process on the secondary.
This is a big jump, you should have a rollback plan in place, most preferably spare hardware. I would guess that the firewalls have not been rebooted, and there is a chance they won't boot up (hardware fails).
-
Thanks a lot for all anwers...
i am very hayppy with v2.1.5 is it rock solid! but i need to update because the load balance (relayd) is not balancing SMTP connections evenly and this is turning into a serious problem.
Main alternative to updating would be to try out HAProxy... what do you think?HW is 2Xeon E5v1+16GB_RAM per node.... i guess there will be no problem with v2.4.4
Thanks again Heper, Akuma1x and ChrisMacMahon...
Pedreter
-
Sure it might be "rock solid", but it's very insecure. Click on the first link I sent you, start at 2.2, do you see the section called "Security Fixes", repeat this until you hit 2.4.4-p2. There have been many security fixes over the years.
You can't install any new packages.
You need to update.
-
Fully agree ChrisMacmahon.... thanks for your kind help!
Basically.... starting from secondary... I will remove all packages... export config, install new 2.4.4 from ISO and tell the install process i have a config file....
Thanks again... ChrisMacMahon, beers are on me! :-)
Pedreter.
-
When was the last time the devices were rebooted?
2.1.5 was ~5 years ago, there is a strong chance some of your hardware will not come up again after a boot. Please be aware it might be better to buy new equipment, and retire the hardware that is old.
-
Thanks ChrisMacMahon...
currently we plan just to renew all drives as caution measure... does the FreeBSD of PFsense 2.4.4 support SSD trimming?
Thanks!
Pedreter.