Installing any package prompts to downgrade icu, uninstall boost-libs and mongodb, breaking Unifi on pfsense



  • Ok folks, I've experimented with two new pfsense builds. Originally a Dell Optiplex 390 on 2.4.4p2 (it began its life back in 2.3.3 days and been upgraded since). No problems at all with that build.
    Newer Optoplex 3020 with a core i5, installed 2.4.4p3 straingt on, restored config, and ran Gadzooks Unifi on pfsense script (find it on github). In Unifi, restored config. System works, Unifi APs and switches and clients all report in, all with the flexibility of a pfsense box in a home environment.

    Now if i try to install any package, be it something simple like nano text editor, or a pfsense package like ntopng... pkg always says it will downgrade icu 65.1,1 to 62.1_1,1 and also remove boost-libs-1.71.0_2 and mongodb34-3.4.23. I do not know enough about pkg in FreeBSD to tell it to leave it alone, like it did on the older system.

    The problem with removing these packages is that Unifi relies on mongodb, so once removed, Unifi is broken and needs to be wiped out and reinstalled again.

    I've also tried with another SSD, this time installing vmware esxi 6.7 first, then pfsense as a VM and ubuntu as a vm (installing unifi there). Though it added 10 watts of power consumption, and a lot of complexity that really isn't needed in a home environment. I'd rather run pfsense bare metal. It boots really fast and only uses 22 watts or so at idle.

    Here is an output of pkg for an example:

    pkg install ntopng
    Updating pfSense-core repository catalogue...
    pfSense-core repository is up to date.
    Updating pfSense repository catalogue...
    pfSense repository is up to date.
    All repositories are up to date.
    Updating database digests format: 100%
    Checking integrity... done (0 conflicting)
    The following 8 package(s) will be affected (of 0 checked):
    
    Installed packages to be REMOVED:
            boost-libs-1.71.0_2
            mongodb34-3.4.23
    
    New packages to be INSTALLED:
            ntopng: 3.6.d201800910,1 [pfSense]
            libsodium: 1.0.16 [pfSense]
            ndpi: 2.4.d20180830,1 [pfSense]
            GeoIP: 1.6.12 [pfSense]
            mysql56-client: 5.6.41 [pfSense]
    
    Installed packages to be DOWNGRADED:
            icu: 65.1,1 -> 62.1_1,1 [pfSense]
    
    Number of packages to be removed: 2
    Number of packages to be installed: 5
    Number of packages to be downgraded: 1
    
    The operation will free 233 MiB.
    
    Proceed with this action? [y/N]: n
    


  • Unfortunately, running UniFi on pfSense is totally unsupported. You're going to be hard pressed to find anyone willing to offer help here. I'd either run it in a VM, or host the controller at another site.





  • @chpalmer Yes thats the one.

    Worked fine for a number of years on a Dell Optiplex 390, Legacy Boot to 128GB SSD UFS.

    • Survived pfsense upgrades from 2.3.3 up to 2.4.4p2.

    • Survived package upgrades like pfBlockerng, ntopng and others.

    On the Optiplex 3020 installed UEFI from a 2.4.4p3 thumb drive... to 256GB SSD ZFS, no dice.

    I tried the VM method. Added additional complexity. While it worked, by morning the unifi app would not connect, and I could not connect to the ubuntu with SSH despite the VM looking good in the ESXi web console. Plus its slightly higher power draw and longer boot time, also legacy boot since there is a bug in the ESXi 6.7u3 installer preventing UEFI boot. Theres also a number of posts on reddit... virtualize pfsense or bare metal. I have to agree with the abundance of posters that bare metal is the way to go. That way the network can't come down due to added complexity, or you aren't messing around with the hypervisor and take the network down. Whole wife acceptance factor.



  • Hmm, I think I found away around it using the pkg lock command... see below

    # pkg lock mongodb34-3.4.23
    mongodb34-3.4.23: lock this package? [y/N]: y
    Locking mongodb34-3.4.23
    # pkg lock boost-libs-1.71.0_2
    boost-libs-1.71.0_2: lock this package? [y/N]: y
    Locking boost-libs-1.71.0_2
    # pkg install ntopng
    Updating pfSense-core repository catalogue...
    pfSense-core repository is up to date.
    Updating pfSense repository catalogue...
    pfSense repository is up to date.
    All repositories are up to date.
    Checking integrity... done (0 conflicting)
    The following 6 package(s) will be affected (of 0 checked):
    
    New packages to be INSTALLED:
            ntopng: 3.6.d201800910,1 [pfSense]
            libsodium: 1.0.16 [pfSense]
            ndpi: 2.4.d20180830,1 [pfSense]
            GeoIP: 1.6.12 [pfSense]
            mysql56-client: 5.6.41 [pfSense]
    
    Installed packages to be DOWNGRADED:
            icu: 65.1,1 -> 62.1_1,1 [pfSense]
    
    Number of packages to be installed: 5
    Number of packages to be downgraded: 1
    
    The process will require 62 MiB more space.
    
    Proceed with this action? [y/N]:
    

    Notice now it no longer claims those two packages will be removed. Further testing needs to be done to see if downgrading icu causes any issues, or if I can lock that one or not.

    Info on the pkg lock command:
    https://www.freebsd.org/cgi/man.cgi?query=pkg-lock&sektion=8&manpath=freebsd-release-ports



  • I just stuck the package on my test router I keep here. Ill see if things survive..

    I saw a couple of questionable entries as they scrolled by but I need to increase my Putty screen buffer.

    But let us know how it works out with the lock..



  • @chpalmer

    Ok so far so good. I also locked icu. I installed ntopng from command line and it did not error out on anything. Though there's nothing in the GUI and lsof -i | grep 3000 does not show it listening on port 3000 like a good install.

    I then installed it via the web gui, again the log had no errors, but in the web gui package area under installed packages, its not listed, nor is its link or settings listed under the diagnostics menu. I rebooted the pfsense box but its still not there. In SSH running pkg info shows the package is installed.

    ntopng-3.6.d201800910,1        Network monitoring tool with command line and web                                                                                                                                                              interfaces
    

    But theres no way to run or execute it that I could see. This is just one package I picked as a test... not a show stopper but interesting nerveless. Unifi controller is still working strong. I successfully pushed out firmware updates to a switch and AC Lite AP.



  • For my above example, ntopng... I got it working - there's just no indication in the pfsense web gui that its installed.

    In SSH run
    redis-server /usr/local/etc/redis.conf

    Then run redis-cli ping , the system returns PONG which shows its running.

    Now run ntopng

    Now browse to the ntop web gui, http://192.168.1.1:3000 in my case. It walks through setting up the admin password, it gets in and it shows data.

    So this package works with pkg lock, it just did not write any shortcuts in the pfSense web gui, it did not start automatically with system boot, and the installed packages list in the web gui do not list it as an installed package, when in reality behind the scenes it is installed and working (though manually invoked).



  • I think I figured this out by installing pfsense in virtualbox VM, configuring it and then comparing pkg info commands between it and my live system. The live system always had a warning about pkg version 35 is newer than installed database 34 at the top, and there were a few other packages that were newer versions than the stock 2.4.4p3 system. The pkg version warning did not sit pretty with me so thats when I decided to blow away this new install and start over.

    After I wiped the drive and did a reinstall, I reapplied my config file. The interfaces were different from the old system (re0, igb0). Therefore until I got to the physical console and fixed it, the packages never installed because it could not contact the internet. The second time around I edited my xml config file in notepad++ and altered the WAN and LAN with the proper igb0 and igb1 designations as they are on the new box. Next wipe I got it back up and restored config. This time since the interfaces were correct, when it restarted it had internet access and the system was able to automatically reach out and download all of the packages. At the top of the web ui in a yellow banner it said to hold off on any changes while packages are reinstalled from the internet. (This is the behavior I noticed in my VirtualBox install test).

    The only one I had to manually install was bandwidthd (it was in the menu but the package wasn't installed). But after giving the system time installing all of these packages, I was able to install the Unifi controller using the github script. I then pkg lock these three packages:
    boost-libs-1.71.0_2
    icu-65.1,1
    mongodb34-3.4.23

    I then installed the command line packages for lsof and nano, and they installed and work without issue. Nothing was downgraded or removed. System is running smoother than it ever has.

    I think the pkg database got messed up in the original install after importing the config, since the system was not able to contact the internet and complete the package install. There was no button in the UI to "retry" and reloading the config and just choosing package database did not seem to do anything. A clean install fixed it.


Log in to reply