To 2.5.0 or not ? that is the question :)
-
I am seeing confusing messages about experiences people had upgrading to 2.5.0.
So asking people to reply with positive or negative feedback on 2.5.0 here (I think it will be helpful to all...)
(To be or not to be?)
To 2.5.0 or not ? that is the question :)Thx
-
Some good, some bad. Is it because of how they have it configured? Or because of some strange case the programmers did not think of?
I will crank up my VMs and load my config and find out if I am in the good or bad group to avoid wrecking the family and getting yelled at because the internet is down...
Good times.
-
There are a lot of pfSense users. A lot. We have heard from a handful that have had real issues (not user error or confusion). If you use ipsec there are threads you should read before upgrading. A patch has already been made available for at least one identified issue.
So, to answer your question. Yes. But only once you know what, exactly, you would do if it doesn't go well. Do you have a backup of your current working configuration? Do you have an install image of your current version ready to go? Do you know what to do with those things if the stuff hits the fan? You don't want to be knocked offline and then (after) find out you don't have the console cable needed to reinstall. It should take a just a few minutes to fall back to your current, running, configuration if you're properly prepared.
You're right, it would be good to have a thread of success stories. Including details about the configuration and any packages involved.
-
@jwj said in To 2.5.0 or not ? that is the question :):
There are a lot of pfSense users. A lot. We have heard from a handful that have had real issues (not user error or confusion). If you use ipsec there are threads you should read before upgrading. A patch has already been made available for at least one identified issue.
So, to answer your question. Yes. But only once you know what, exactly, you would do if it doesn't go well. Do you have a backup of your current working configuration? Do you have an install image of your current version ready to go? Do you know what to do with those things if the stuff hits the fan? You don't want to be knocked offline and then (after) find out you don't have the console cable needed to reinstall. It should take a just a few minutes to fall back to your current, running, configuration if you're properly prepared.
You're right, it would be good to have a thread of success stories. Including details about the configuration and any packages involved.
Good summary of a to-do-list.
Where do you get an install image 2.4.5 from ?
Maybe you can share it here ?Thx
-
NOT AVAILABLE AS OF 19-2 AM
https://nyifiles.netgate.com/mirror/downloads/This is one of the Netgate mirrorsOfficially, you should open a ticket with Netgate and request a download link to be emailed to you.
There is a readme with those images. Ummmm.... reading it is recommended ;) I know right, who actually reads those things... This one tells you what to do with your backed up config so that it will be automagically applied when you do a fresh install. Saves a step and some potential heartache.
-
2.5.0 seems to only be available on amd64 platforms. The arm upgrade path is to the new 21.02 train and there are enough smoldering piles of routers that I think I'm going to wait it out until there's another release which addresses the plethora of known upgrade bricking/failures.
-
@chudak take a backup, if upgrade fails roll back. Will take 30 minutes of your time to know for sure what if any issues you will face. No amount of users anecdotal experiences will with 100% certainty help you assess your config on your hardware.
PS my upgrade was flawless. Making use of multiple OpenVPN connections, vlans, IPV6, pfblocker, avahi and others.
-
My main pfSense router is running on Exsi VM which I didn’t upgrade it yet. I also have installed pfSense 2.4.5 with exactly same configuration as my main router on Odyssey x86 with dual NIC (as a replacement in case of any problem). I have replaced the main router with Odyssey and upgraded with pfSense 2.5 last night. All went well and didn’t have issues.
My pfsense routers have been configured with 7 VLANS and have pfBlockerNG devel and Suricata packages installed.
I don’t use VPN or IPSec.
I will test this router for another few days before upgrading my Exsi VM pfSense.
One thing I noticed after upgrading is that memory usage reduced from 60% to 20% of 8GB.
Hope it helps.
-
/usr/local/etc/rc.d/frr restart all Checking intergrated config... Checking vtysh.conf line 37: % Unknown command[4]: address-family ipv4 unicast line 38: % Unknown command[4]: network <ip>.64.0/20 line 39: % Unknown command[4]: neighbor <ip>.16.1 activate line 40: % Unknown command[4]: neighbor <ip>.16.17 activate line 41: % Unknown command[4]: neighbor <ip>.16.29 activate line 42: % Unknown command[4]: neighbor <ip>.16.1 send-community both line 43: % Unknown command[4]: neighbor <ip>.16.1 next-hop-self line 44: % Unknown command[4]: neighbor <ip>.16.1 soft-reconfiguration inbound line 45: % Unknown command[4]: neighbor <ip>.16.1 route-map Site_Kref_Primary_RMAP in line 46: % Unknown command[4]: neighbor <ip>.16.1 addpath-tx-bestpath-per-AS line 47: % Unknown command[4]: neighbor <ip>.16.17 send-community both line 48: % Unknown command[4]: neighbor <ip>.16.17 next-hop-self line 49: % Unknown command[4]: neighbor <ip>.16.17 route-map HDC-LOCAL-PREF80 in line 50: % Unknown command[4]: neighbor <ip>.16.29 send-community both line 51: % Unknown command[4]: neighbor <ip>.16.29 next-hop-self line 52: % Unknown command[4]: neighbor <ip>.16.29 route-map HDC-LOCAL-PREF90 in line 53: % Unknown command[4]: exit-address-family FAILEDIf somebody is using FRR for BGP be carefull - Zebra and BGPd won't come up and your network is fried if you rely on it. Thanks to virtualization and snapshot it's possible to minimize damage.
-
I'm waiting for 2.5.1.
I've been on 2.4.5 for so long, I can wait a little longer for the big issues to be discovered and fixed. It's about uptime and reliability right?
Anyway, I do understand why people (including myself) want to play with the new shiny 2.5.0 toy.
-
@trony
If you have only one router with pfSense then it’s better to wait until it’s tried and tested. Hence the reason I upgraded the spare router to test it. -
@trony said in To 2.5.0 or not ? that is the question :):
I'm waiting for 2.5.1.
I've been on 2.4.5 for so long, I can wait a little longer for the big issues to be discovered and fixed. It's about uptime and reliability right?
Anyway, I do understand why people (including myself) want to play with the new shiny 2.5.0 toy.
Wonder if devel guys saw any feedback from this community warranting releasing 2.5.1 soon.
Maybe @johnpoz knows ?
-
I have seen nothing mentioned.. But I did see some redmine in about something unbound maybe if your registering dhcp, and mention of fixing the widget for QAT..
But not sure if such things would warrant 2.5.1, maybe a 2.5.0p1 or something
While I have seen some issues with ipsec reported.. I updated my sg4860 and not seeing any problems at all.. Running haproxy, openvpn both server and client. I got wireguard up and running for my iphone in a few minutes.. Everything seems to be working from what I can tell.
Not seeing any issues.. I had some problem trying to migrate to zfs vs ufs during the install. But prob something stupid I was doing trying to load the previous config during install? I will re-address that at a later time. Prob this weekend.
Keep in mind - I am sure there are thousands and 100's of thousands of pfsense installs out there. If not million(s).. Would expect the vast majority of every upgraded with zero issues..
You always see the reports of one offs.. Someone with odd hardware, odd configs, etc.
With any upgrade of this nature.. Make sure you have your plan in order, backup of your config and install media and even if the worse things happens.. You can be up and running again in a few minutes.
This is a major update.. The whole freebsd base was updated.. Many many new things and changes.. If want to wait - sure wait.. Its been a long wait for 2.5.. A few more days or weeks isn't going to matter.. Not like 2.4.5p1 stops working tomorrow ;)
But if your waiting for .1 or p1 or something like that - that could be awhile.. But sure there are many a company out there that will not update OS until service pack 1 has been released ;)
As with all the previous upgrades - many of them very major in nature.. The pfsense/netgate team has done some amazing work..
edit: I still have some devices on 2.4.4p3.. They are remote offices, and nobody there - and since they are production. Its not worth risk, even if very small of trying to upgrade them while nobody is there to recover if the something goes wrong..
-
@johnpoz said in To 2.5.0 or not ? that is the question :):
a 2.5.0p1 or something
I did mean "a 2.5.0p1 or something" :)
Thanks for detail reply !
The purpose of my initial question was to help all
concerned partiesto avoid dramatic outcomes from uninformed decisions (including myself) -
Its never a good idea to upgrade such a system without some thought to it..
Even if not a "production" system in a corporation or business.. It quite often is your connection to the internet.. If that breaks in any way - it can have all kinds of consequences.. Even if that is just your significant other or kids screaming at you that netflix is not freaking working ;)
I pulled the trigger last night vs waiting til early morning (wife not up yet time frame)... And while playing with trying to get zfs working - I got that - hey you doing something with the internet yell ;)
So I just did UFS and was backup in a few minutes..
-
This post is deleted! -
This post is deleted! -
This post is deleted! -
This post is deleted! -
This post is deleted! -
This post is deleted! -
This post is deleted! -
@johnpoz said in To 2.5.0 or not ? that is the question :):
I pulled the trigger last night vs waiting til early morning (wife not up yet time frame)... And while playing with trying to get zfs working - I got that - hey you doing something with the internet yell ;)
LOL. I know exactly what you are talking about. Been there too many times.
-
This post is deleted! -
This post is deleted! -
This post is deleted! -
We have had a very bad experience with the update to version 2.5 or 21.02 as it appears on the dashboard, and this has more to do with support for previous versions, I have more than 100 devices running on version 2.4.5-RELEASE -p1 and none of these allow me to update or install packages from the package manager
-
This post is deleted! -
@juanpadiaz said in To 2.5.0 or not ? that is the question :):
We have had a very bad experience with the update to version 2.5 or 21.02 as it appears on the dashboard, and this has more to do with support for previous versions, I have more than 100 devices running on version 2.4.5-RELEASE -p1 and none of these allow me to update or install packages from the package manager
You should be able to install packages on the 2.4.5 RELEASE if you go to the Update Manager screen and change the drop-down to "Previous Stable Version" (or something akin to that wording). That will reset
pkgon your system to reference and use the older repository.However, if you have already tried to install a 2.5 package onto pfSense-2.4.5, you may have corrupted
pkgas it would get updated with the latest version which is likely to have issues with the shared libraries present in the older 2.4.5 pfSense. Note that packages in the 2.4.5 repository tree will stay at their current versions. Updates to packages will only happen in the "current" pfSense release which is now either 2.5 or 21.02, depending on whether you are using Community Edition on generic hardware, or running the new pfSense+ on Netgate hardware. -
This post is deleted! -
@bmeeks Many thanks, we are using Netgate hardware but we already try to install packages from a 2.4.5-RELEASE-p1, never updated one, and the package manager just gives us, and the premium support doesn't have the right response yet, we can not just upgrade all of our production devices without any tests, but any device with the version 2.4.5-p1 or older are not able to download or install packages via the package manager.
-
This post is deleted! -
None of my static routes are active in my routing table after upgrading. I tried disabling and re-enabling to no avail.
-
This post is deleted! -
@juanpadiaz said in To 2.5.0 or not ? that is the question :):
@bmeeks Many thanks, we are using Netgate hardware but we already try to install packages from a 2.4.5-RELEASE-p1, never updated one, and the package manager just gives us, and the premium support doesn't have the right response yet, we can not just upgrade all of our production devices without any tests, but any device with the version 2.4.5-p1 or older are not able to download or install packages via the package manager.
The translation to English is a bit confusing to me, so please forgive me asking additional questions. So are you saying you have a pfSense-2.4.5_p1 box that you never attempted to update anything on, and you went first to the Update Settings page and changed the drop-down there to "Previous Stable Version (2.4.5 deprecated)" and saved that change? Then you go to SYSTEM > PACKAGES and can't do anything? Or did you first go to SYSTEM > PACKAGES and attempt to install a package BEFORE you changed the Update Settings value in the drop-down? The sequence is critical. If you attempted to install or update a package before you changed the
pkgutility on your firewall to reference the "Previous Stable Version (2.4.5 deprecated)", then that would have immediately installed an updatedpkgbinary on your 2.4.5 firewall, but from the 2.5 (or 21.02) new pfSense repository. That newerpkgutility can't work on 2.4.5_p1. That can cause the issue you are seeing.Go check out this thread: https://forum.netgate.com/topic/160989/upgrade-packages-on-2-4-5-p1/6 and see if the solution there helps you.
-
@bmeeks Not a problem bmeeks, first devices with 2.4.5_p1 on production cant download or install packages from the package manager, i mean devices with any pfsense version upgrade I have many of them, these problem is a pretty big problem because that means that I can not add any functionality o feature to that device
The only solution to have the package manager back on business is to upgrade to 20.02 but, obviously and as @jwj says is not the more inteligent thing to do to just upgrade in a production environment
-
This post is deleted! -
This post is deleted! -
@juanpadiaz said in To 2.5.0 or not ? that is the question :):
@bmeeks Not a problem bmeeks, first devices with 2.4.5_p1 on production cant download or install packages from the package manager, i mean devices with any pfsense version upgrade I have many of them, these problem is a pretty big problem because that means that I can not add any functionality o feature to that device
The only solution to have the package manager back on business is to upgrade to 20.02 but, obviously and as @jwj says is not the more inteligent thing to do to just upgrade in a production environment
But I still need to know if you went to SYSTEM > UPDATE SETTINGS and changed the pfSense repository version to "Previous Stable Version (2.4.5 deprecated)". That is very critical! And you must have done that before trying to install or update any packages.
Changing that setting works on Community Edition (CE) pfSense. I assume it works in pfSense+ (the old Factory Edition), but I'm not 100% positive.
-
@bmeeks excellent many thanks, let me try that
