To 2.5.0 or not ? that is the question :)

bmeeks

@juanpadiaz said in To 2.5.0 or not ? that is the question :):

@bmeeks excellent many thanks, let me try that

But if you did not change that setting first, and attempted any package install or upgrade, then it would have corrupted the pkg utility on your firewall so it will no longer function under 2.4.5. I'm wondering if that is what has happened to you as the screenshot you posted of "Please wait ....." would only happen if the pkg utility got corrupted. Or that is the most likely cause of that error.

chpalmer

edit- This post was actually meant as a reply to the OP and in general. Not to you Juan..

Please read the "upgrade notes" about half way down on this page before trying to upgrade to 2.5

https://www.netgate.com/blog/pfsense-plus-21-02-release-and-pfsense-ce-2-5-0-release-now-available.html

We have only 14 boxes out there ourselves and only one had issues OpenVPN config related.. With only 14 boxes we still have a test box in a lab setting to run things on first before any major upgrades. Kinda surprises me that people with more units out there than we do choose not to test first.. But I digress.

juanpadiaz

@bmeeks Many thanks, the package manager back to work!

A Former User

This post is deleted!

bmeeks

@juanpadiaz said in To 2.5.0 or not ? that is the question :):

@bmeeks Many thanks, the package manager back to work!

Great!

A Former User

This post is deleted!

skogs

Success.

Definitely listen to jwj wise words...have backout plans...have backups...have the stuff handy. I do the same with hardware that costs 10s of thousands more...and can't count how many times that wildly expensive edge or core hardware has needed rework.

So I've been vigorously testing things on the development branch for a few months. Obviously just like everybody else, I can't test all configurations and setups, but I've had good success.

A while back there was a small issue with existing zfs setups (2.4.5 on zfs) being updated via usb/image and erring out with trying to load 2.5.x.rc with zfs. This was resolved. Did extra installs from 2.4.5 > 2.5.0 with existing zfs and ufs just fine. Also did a couple online webconfig initiated updates along the way and those were always fine.

For some reason if your temperature/cpu/update widgets aren't working on the main page; they work now when you turn on the state table size display. Not ideal but clearly not a breaking event and has a valid workaround. I believe by default the state table is shown, so 99.99% of people wouldn't even notice this until they got deep into tweaking the page config.

Packages that I use auto installed just fine after being fed the backup config.

Had a small issue on one install where I couldn't log into the web configurator after a fresh install. Super annoying. Console output said good login...but the login page wasn't going through. This was resolved after resetting all the stuff and using https. I think for the dummy setup I was doing I told it to use http instead, and that there was some small issue where the webconfigurator wasn't passing along to the config pages.

There is a package available for installing realtek drivers for those that have been suffering with that hardware. Seems easy enough, and more importantly seems more stable than previous - also haven't dropped gateway, no dpinger issues, and no unbound issues since testing the realtek driver.

pkg install realtek-re-kmod
echo 'if_re_load="YES"' >> /boot/loader.conf.local
reboot...winning...

Test with

dmesg | grep re0

Should say something about Realtek ... and leave out the alphabet soup that the previous driver said.. and show a version: 1.96.04 or something. Default driver doesn't state a version line.

To summarize...I've tested and tried to break a lot of things. It is ready.
It isn't perfect...but nothing ever is. If one finds some sort of serious breaking fault or a scenario that you feel has not been conceived of properly and planned for - you are gladly invited to help testing the development releases to make the next one even better.

SeaMonkey

@seamonkey said in To 2.5.0 or not ? that is the question :):

None of my static routes are active in my routing table after upgrading. I tried disabling and re-enabling to no avail.

UPDATE: I was able to get my static routes to show up in the routing table by going to Diagnostics:Tables:negate_networks and emptying the table. Unfortunately, I'm still unable to ping anything on the other side of my site-to-site VPN.

thesurf

I have updated to 2.5.0 and relayd is broken.

So if you rely on this wait a little bit with the update.

thesurf

I also noted on searching for the relayd problem that on the cli the file clog is missing. So now comes the fun part. Which command to read the relayd.log which is binary.

dorianwoolger

Postitive post :)

I have 2 units running HA with pfBlockerNG latest Devel version, OpenVPN for remote access and the OpenVPN client export package, 18 IPsec site to site tunnels, several VLANS, and manual outbound NAT for different VLANS going out on different IP addresses. I run the DNS resolver with domain overrides for customers AD access.

The hardware is a PC Engines APU2d4 with 4Gb Ram, AMD GX-412TC CPU

Upgrade was done using the Web GUI interface from latest 2.4.5. I went for the master first so took backup of config, put CARP into Persistent Maintenance Mode, no one shouted so assumed the rest of the house still had internet then went for the upgrade.

All went through with no issues. Ran a few tests and checked that the config all looked good and exited the Maintenance Mode. Again no shouting from the household so all good.

Then went on and upgrade salve again with no issues.
The routers have now been up for 1 day, 13 hours with no issues.

Now, I have found one issue but it's only a display issue. On the Dashboard I have the IPsec status Widget

The Active / Inactive are back to front. I currently have 1 inactive tunnel and 17 active.

If thats the only issue then I'm happy :)

psp

Positive upgrade.

Starting from 2.4.5p1, 5 VLANs, 5 VPNs site-to-site (2 IPSec and 3 OpenVPN), 1 OpenVPN road-warrior, pfBlockerNG-devel.

Setup new device from scratch with 2.5.0/zfs, imported old (2.4.5p1) full backup. Added by hand Realtek drivers as pointed before. Lastly, migrated road-warrior VPN from OpenVPN to WireGuard (1 tunnel, n peers. Possible issue if more than 1 tunnel is actively used).

System up and running.

SeaMonkey

To anyone having OpenVPN issues, double check your cryptographic parameters in client and server. I had to add ncp-disable to my PIA connections to get them working again. Also, the update broke my site-to-site connection and I discovered that the IPv4 tunnel network on the client side was blank and was somehow previously working with it blank and with a certificate that didn't exist on the server.

stephenw10

@thesurf There is no relayd in 2.5 and it's unlikely to ever come back. It's in the release notes:
https://docs.netgate.com/pfsense/en/latest/releases/2-5-0.html#security-errata

You should use HAProxy instead if you need that functionality.

Steve

johnpoz

@seamonkey said in To 2.5.0 or not ? that is the question :):

discovered that the IPv4 tunnel network on the client side was blank and was somehow previously working with it blank and with a certificate that didn't exist on the server.

Something like this could be issues for many users problems. Something that was allowing something to work that was in fact a bug or problem.

As another example - not actually related to 2.5.. But is a sim sort of example. I had freerad running and auth phones to my wireless via eap-tls. There was an update to the freerad package that broke my setup. Because I didn't actually have any uses setup, but it was authing anyway just on cert and not actually checking the cn on the cert matching to username.. When the package was updated to fix that, it broke my connection.

So its quite possible some changes in stuff could break specific setups that were working - but really shouldn't have been..

stephenw10

There was a whole bunch pointless and abusive arguing in this thread that I have removed.

Please keep it civil.

Everyone here is working to resolve whatever issues there may be in 2.5. Actual reports with data to allow us to replicate are what will achieve that.

Thanks,
Steve

SeaMonkey

@johnpoz In other words, the pfSense update doesn't suck. pfSense just got better at letting you know when your configuration sucks.

johnpoz

^ yeah that could be the case in some.. Not saying all, but sure some.. This is why details are so important when reporting something doesn't work. When working through my problem - the thread around if you want to look... It took a bit of time to track it down. Viktor was most helpful in finding the issue..

And after finding it - it was a d'oh moment for sure. Was like how and the hell was it working for so long before ;)

A Former User

Currently the GUI renders a invalid frr config when bgp as-path ACLs are in use. This ACLs will be written under the "router bgp <asn>" section what causes FRR and bgpd daemon failing to start. Switching to raw config mode and putting all bgp as-path access-list outsite the router bgp section is the only way to work this around. Prefix-lists and route-maps are not affected by this and will be written correctly to the config.

Another difference is that bgpd starting with Version 7.5 does default filtering for route announcements . Without a outbound route-map in the neighbor statement, no routes will be announced at all. An empty "route-map permit <seq>" does the the job.

From the release notes of frr7.5

I suggest to put this kind of Information into the Release Notes of pfsense 2.5.0 as well, so customer can prepare configuration before updating.

The next difference compared to 2.4.5 is, that now IGP route synchronization is in effect. I could not disable it by using "no synchronization" in der bgpd config. So when you configure prefixes by the network statement, that are not in the routing table, it's necessary to configure a static route to Null for that networks on the device. This is pretty common on many network devices, but not was not necessary in 2.4.5.

One of my peers teared down after some time and wasn't able to get into Establish state again at all. Had to reboot to resolve this. Logs said something like "Couldn't write to socket: Permission denied," (Can't recall the exact message and haven't saved the Logs before rollback). The other two BGP Session stayed up for about two hours.

Thats what I figured out for bgp on 2.5.0, hadn't have the chance to look into ospf yet.

It's not directly releated to frr but I also noticed that IPsec VTIs stays at MTU of 1400, regardless whats configured on the Interface.

route -n get <ip>
   route to: <ip>
destination: <ip>
        fib: 0
  interface: ipsec1000
      flags: <UP,HOST,DONE,PINNED>
 recvpipe  sendpipe  ssthresh  rtt,msec    mtu        weight    expire
       0         0         0         0      1400         1         0

My favorite Bug affects 2.4.5. Since I want to stay on 2.4.5 for now, I decided to change the Branch back to Previous stable version. Doing so uninstalls frr completely - no questions asked.

dma_pf

Upgraded to 2.5.0 about 10 hours ago from the GUI. The update went smoothly and took a total of less than 15 minutes. I was able to login to the GUI after the upgrade was completed. Everything has been running well and has been stable. I had 2 issues that came up post upgrade.

Issue 1: I had 3 openvpn connections that were down. Before the upgrade I had read some posts where others had had the same issue. The fix was to uncheck the "Data Encryption Negotiation" setting in the openvpn client setups. As soon as the setting was unchecked and saved the connections were immediately reinstated.

Issue 2: Once pfBlockerNG-devel was reinstalled the DNSBL was out of sync. It was easily resolved with a Forced/Reload in the Update tab in pfBlockerNG.

My setup includes the following: 1 WAN, 2 regular interfaces, 4 vlans, multiple DHCP Servers, DNS Resolver, Dynamic DNS, 3 openvpn clients, 2 openvpn servers.