Problems upgrading from 2.4.5 to 2.5.0
-
I tried your fix and it worked! Thanks a lot for that!
I have two more remote pfsense boxes at 2.4.5. Will I have to do the same thing for these two boxes?What did I do wrong? I was told is hold have removed all packages before an upgrade. Does this include point releases? On my own pfsense I have 2.5.0 and its asking to upgrade to 2.5.1. Should I uninstall all my packages for this upgrade?
-
@powerextreme said in Problems upgrading from 2.4.5 to 2.5.0:
removed all packages before an upgrade. Does this include point releases?
I asked this question before a few years ago and got some conflicting answers as I recall. I generally have uninstalled/reinstalled packages, to be safe.
-
I think I've got most problems solved for my setup. First off, I'm not a Linux guy (trying to learn it). I'm not an .XML guy (learned more than I wanted to know). I upgraded to 2.5.1 after a couple of years of pfSense just running flawlessly other than occasional tweaking, so I've forgotten most of what I did when I put it all together. I have about a hundred smart devices, phones, computers, cameras, Unifi infrastructure, and media players. I have them all segregated on 4 VLANs (.10 LAN, .20 Cameras, .30 IoT, .40 Filtered, .50 Unfiltered), and for the most part, everything works. I was terrified when all kinds of issues described above started happening, and I realized I hit "Update" before backing up config or reading up on uninstalling packages. Rebuilding this whole thing would have been monumental (for me).
I ended up getting on a path of resetting to defaults of 2.5.1 instead of installing 2.4.5 again and praying my 2.5.1 config.xml I backed up after upgrading would load properly in 2.4.5. I edited the .XML file and removed everything between <installedpackages> and </installedpackages>, leaving it looking like <installedpackages></installedpackages> and saved it. I reset pfSense to default, plugged directly into it, went through the wizard, and then restored the config.xml. It took a couple of tries to get the .XML right, but it finally restored.
The results are the DHCP list now loads, although a lot slower than before. I still get unable to check for updates on the dashboard, and the System->Update takes forever to open, then fails the check there also. The DHCP leases list does not have any devices in there that have no Hostname, even though I know I've had devices in there before I never identified and couldn't assign them static IPs and type in hostnames (I've been trying to identify on my network lately).
I plugged back into my switch and put everything back to normal to see if it would find and assign DHCP IPs to those unknown devices again. It took a long time to refresh the list, like 2-3 minutes of spinning, None of the devices without hostnames reappeared. That will actually make it easier to figure out what they were now, because they will no longer work. But how do I get pfSense to give them dynamic IPs if it won't assign them without hostnames?
So is this an official bug, or just hits people that didn't upgrade properly and have to muddle through? Thanks for ANY advice (besides backup before upgrading....)
-
I'll start with the rather famous joke :
"Windows" is not Linux is not MACos is not FreeBSD.
(althought MACos is based on FreeBSD)
So, remove Linux from your list, look at 'FreeBSD' documenation ^^
And keep in mind : no FreeBSD knowledge is needed to operate a router/firewall. Normally, the network admin doesn't care/ doesn't want to know/doesn't understand what OS is used to run the router.Removing packages before upgrade :
Not needed, and I can proof that easily : I never did so over more then 10 years.
I use several very light weight packages like Notes, Cron, ShellCmd, Avahi, acme, openvpn-client-export. All these offer extend functionality, and can not - do not influence the basic usage of the router. It's like putting an image on your desktop's background : that won't stop Windows from working.Even a huge one like pfBlockerNG (latest version) can be disabled with one click. When unchecked, the entire "pfBlockerNG " code stops.
FreeRadius : same thing.So, no need to edit the backed up config file. I even advise you not doing so.
One example : you removed <installedpackages>boatload</installedpackages>
But, one of these packages could also have created Firewall aliases and or firewall rules. These are now based on non initialized data after reboot. You just created a totally unprecedented situation. No way that everything works well now. No manual or user experience can guide you here.
So : make your live easy : don't.He is what I do :
Save one copy of the config.
Get an USB drive ready with the current version of pfSense (so you can get back in a snap - and having the drive prepared in your hands activated an extension of Murphy's law : you won't need it).
Now upgrade.
Works fine for me for the last decade or so.DHCP :
The DHCP status page : nice ..... but that's a page you look at when all goes well, etc.
For DHCP to work (the most stable process on planet earth) interfaces need to be set up correctly.
Then you set up / check every DHCP server (one for each interface == LAN == VLAN).
Done.
Checking afterwards is done with : the DHCP logs. The log pages are the most important info pages on the system.
You can see DHCP requests coming in, and answers from the server going back to the network clients.Be aware :
@hockeyfreak said in Problems upgrading from 2.4.5 to 2.5.0:
I plugged back into my switch
the interface down to up event is seen by pfSense, on it's VLAN interface, and the switch. Not the devices that are hooked up behind it. These device keep 'thinking' that they have a valid lease, and renew it when it times out, not before.
That's why you don't see much of a traffic as soon as you hook up your system like hat.Try this ( ) : shut down the power every where. Shut down manually devices that are battery powered.
Start pfSense.
Now, activate the power on ALL your devices.
You'll see a DHCP storm, guaranteed. -
@hockeyfreak I've seen other posts about DHCP status page being slow but haven't paid much attention. Note devices will only show if they have a lease so they probably won't all show right after router restart. (not sure offhand if the leases survive a restart)
@Gertjan raises a good point about aliases disappearing. If you are remote make sure you will have access to the router if a pfBlocker alias will become nonexistent and thus a NAT or firewall rule not apply.
re: removing packages, per Netgate, "The safest practice is to remove all packages before upgrading to a new release. The upgrade process will handle packages automatically, but packages are frequently a source of problems. To ensure a smooth upgrade, note the installed packages, remove them, perform the upgrade, and then reinstall when the upgrade is complete." So not saying it won't or can't work, just that that is their advice. Or, if an update ever doesn't work try removing packages.
-
So, remove Linux from your list, look at 'FreeBSD' documentation
I really didn't mean I was trying to learn Linux, that was a general term I guess. I know there are tons of other flavors out there, and I'm trying to narrow down what I want to start focusing on learning.
So, no need to edit the backed up config file. I even advise you not doing so.
I tried reloading it with the backup and all my problems were still present. That's when I decided to edit it. The only thing that really doesn't work anymore is my OpenVPN connection, and I can set that up again when I find a good tutorial (again). I just don't do this stuff enough for it to stick in my mind over the years. I guess I should start keeping a word doc process list for all these tasks I do so I can go back and recreate them if something happens. I usually just relearn everything through tuts
Get an USB drive ready with the current version of pfSense
Do you mean the config.xml on the USB stick, or the whole install of pfSense, or both? I'm using a FW4B for my pfSense box. Probably overkill, but I wanted a stand alone appliance to also emlimate my Frontier router.
DHCP :
Thanks for that explanation. I kind of understood it, but I've never really looked at the logs. Maybe that will help isolate what those blank hostname devices are. I've tried MAC searching, checking the hundreds of apps needed to run smart home for identifying MAC/IP address, etc. Some just refuse to be identified until everything is on a static in pfSense and identified, then when something is installed it's obvious. I should have been doing this from the start...
Try this ( )
I would have to time that perfectly with all the comings and goings around here. Or send the family on a vaca without me! I can live with a few unidentified for now. Something will happen to help me identify them eventually. I just put "Unknown1" in hostname and then check it now and then. Maybe seeing where it's communicating with in Pihole might help?
As for the update with pfSense, after settling in from 4am until noon, everything is loading faster now, and the update is able to check status. Maybe it just needed a settle in time? I followed this tut part 1 and 2 on setting up Pihole with DNS filtering (other bad tutorials are what started this whole mess) and everything seems to be working properly. The fog of DNS is starting to lift, but not totally. I did a backup before implementing all his strategies though!! Lesson learned.
Thanks for all your attention and guidance!!
-
I've seen other posts about DHCP status page being slow
I've read most of them over the last 14 hours... as I said above things seemed to have settled in, it's running smooth and loading faster now. I'll start installing the packages I had before and try to get OpenVPN up and running again (another thing I'm struggling to understand even as I watch tuts and utilize it). I had Avahi running, but it never seemed to work smoothly with Chromcasts, so I just moved all media players (CC, FS, Shield) on the .40 (DNS filtered) network that almost everybody uses and the problems disappeared.
If you are remote make sure you will have access to the router
It's in my laundry room 5 feet from my office, but point taken. Aliases did reload with the config.xml I edited. I went through and made sure I was deleting only packages and their configs. Before doing this I went through and screenshoted the whole pfSense setup for a "pictoral backup" (except packages for some reason). I only had openVPN client export, Avahi, Service Watchdog (not sure why, I think a friend installed it at one point), and snort (same as watchdog). There were settings for PFblockerNG for when I tried it out, but removed it long ago, so I deleted those settings.
I've also decided I don't need .40 (filtered) and .50 (unfiltered) separated since I can use aliases to set up filtering per client to protect my kids. That sound about right?
One more question off-topic I can't find an answer for. When using OpenVPN on my phone, tablet, or computer to get back to my home network, is there any reason I shouldn't just leave it on all the time instead of using PIA or Nord? It's ad filtering, it's as speedy as my home network (500/500), there's no data cap like Nord or others, and it's encrypted from Tmobile prying. I've seen posts saying not to leave it on (don't remember where, but it stuck in my mind)
Thanks for all you attention and advice here! If you know any spot on OpenVPN/pfSense setup tuts please reply with them, I'm diving into that next!
-
@hockeyfreak
To be honest I am afraid of upgrading the remote boxes. It is still not clear to me what went wrong or what I can do to make sure it doesn't happen moving forward.I too have done a lot of configs and have it set up the way I wanted and it has been running for years. This was the only major issue I have ever had running pfsense.
I am sure there is some explanation...bug or something.
I still think pfsense is the best though.
-
@hockeyfreak said in Problems upgrading from 2.4.5 to 2.5.0:
any spot on OpenVPN/pfSense setup tuts please reply with them
Not 'one' place, you need to see several.
Take this one. OpenVPN in 300 seconds.
Take all these - see the basic OpenVPN, the advanced, details about the client export package.
Also : do not think that you do NOT want to look what the OpenVPN support site (the official one) has to tell you.
OpenVPN is a open source project. It has many users, everybody wanted 'his' special case option, the thing became bloated, one might even say : complex.You can use all the sources on the Internet they want, as soon as you recognize that :
They are often not maintained.
Videos are published because it worked for the author, which is surely not your case as your setup is different. You have to see a lot of them - see where they differ.And remember : you only learn from mistakes.
About pfSense and OpenVPN :
It's just OpenVPN as explained on https://openvpn.net/
Only one thing changes : your are not editing the main configuration file yourself with an editor.
You use the GUI that make this file for you.
The GUI can detect some minor possible configuration errors.
But you wind up creating this (this is what I'm using ) openvpn.config file :verb 1 dev-type tun dev-node /dev/tun1 writepid /var/run/openvpn_server1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp4 auth SHA256 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local 192.168.10.3 tls-server server 192.168.3.0 255.255.255.0 server-ipv6 2001:dead:beef:ffff::/64 client-config-dir /var/etc/openvpn/server1/csc tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'your-domain.net' 1" lport 1194 management /var/etc/openvpn/server1/sock unix max-clients 10 push "dhcp-option DOMAIN your-domain.net" push "dhcp-option DNS 192.168.3.1" push "block-outside-dns" push "register-dns" push "dhcp-option NTP 192.168.3.1" push "redirect-gateway def1" push "redirect-gateway ipv6" client-to-client capath /var/etc/openvpn/server1/ca cert /var/etc/openvpn/server1/cert key /var/etc/openvpn/server1/key dh /etc/dh-parameters.2048 tls-crypt /var/etc/openvpn/server1/tls-crypt data-ciphers AES-256-GCM:ARIA-256-CBC:AES-128-GCM data-ciphers-fallback AES-128-GCM allow-compression asym persist-remote-ip float topology subnet status /var/log/openvpn.status status-version 1
It's not because you can click click click because you use a GUI you do not need to know about how to set it up. What it needs, the conditions, the possibilities, what you need, and finding the right balance between what you need and what is possible and what is easy to maintain.
Actually, it's worse know : the GUI makes people thing they can do it, as reality is "hidden".
Nothing changed for the last several decades. Their is only the 'make them believe' idea that makes you think that things are easier. It's not the case. It's a show to make you 'feel well and confident'.I know. It's hard. we have to learn every day ;)
@hockeyfreak said in Problems upgrading from 2.4.5 to 2.5.0:
I really didn't mean I was trying to learn Linux
I know, I was joking.
@hockeyfreak said in Problems upgrading from 2.4.5 to 2.5.0:
Do you mean the config.xml on the USB stick
You always have a recent copy of your desktops PC, phones, coffee machine settings and the pfSense configuration. if not, live must be hard for you.
I meant : https://docs.netgate.com/pfsense/en/latest/install/write-memstick.html
-
Thanks for all that. I do make it a point to watch several tuts and read discussion groups about things before plunging in. I got it all set up and working, now I'm trying to learn to tweak it by assigning an IP address.
pfSense is running smoothly now, haven't had any problems in the last day or two. Thanks for everyone's help!!