Stay at 2.4.5-p1 or go to 2.5.2?

tohil

Any new recommendations for us stucked on 2.4.5-p1?

mr.rosh

@tohil at the end of the day, you are the decision maker.

Gertjan

@tohil said in Stay at 2.4.5-p1 or go to 2.5.2?:

Any new recommendations for us stucked on 2.4.5-p1?

I don't get it.

First, you said :

@tohil said in Stay at 2.4.5-p1 or go to 2.5.2?:

what do you recommend at the moment?

and now you're stuck ?

If you live in a free country, do what @mr-rosh said : make up your mind and go for it.

vmb

@tohil I bought some extra used equipment to use to swap in for upgrades which allows me to preserve my current environment should I need to quickly return to it. The extra kit doubles up for emergency hardware swaps if I should need it. I am running 2.6.0 at the moment but I am testing the 'new' kit running 2.5.2 and will simply swap this hardware into my production environment soon.

My long term plan is to reduce my reliance on pfSense packages and moving those applications/services off pfSense and on to their own hardware, real or virtual in the DMZ. By doing so, I can easily backrev to a previous pfSense release after upgrade day as I wont have a dependency on a non-existent package repository.

It is a lot of work to install those services outside of pfSense. I lose the convenience of the pfSense packages, the GUI and the testing by others. But it is worth it to me to be free of the avoidable aggravation caused when Netgate removes the old package repo on upgrade day.

I am also considering returning to an old-school firewall layout with one pfSense as an external border firewall, and another as an internal firewall with a proper 'transport' DMZ network connecting the two. I will use a number of spur DMZ's from the internal pfSense for internal only services. In this type of setup, pfSense is easily replaceable but I have the exclusive burden of supporting it.

bhjitsense

@gertjan
I’m certain what he means by stuck has little to do with freedom in his country and more to do with the upgrade not working out as expected, and the upgrade troubleshooting guide providing little to no guidance on the particular issue.

jdeloach

@bhjitsense said in Stay at 2.4.5-p1 or go to 2.5.2?:

@gertjan
I’m certain what he means by stuck has little to do with freedom in his country and more to do with the upgrade not working out as expected, and the upgrade troubleshooting guide providing little to no guidance on the particular issue.

What issues is he having? I went from 2.4.5-p1 to 2.5.1 to 2.5.2 and have had no issues. I'm probably not running the same addon packages as he is but without more information about what issues he is having or thinks he might have, no one but himself can make the decision that he wants some else to make for him.

Gertjan

@jdeloach said in Stay at 2.4.5-p1 or go to 2.5.2?:

What issues is he having?

You get my point.
I didn't saw any details.

@bhjitsense I won't / can't discus the real reasons.
Me mentioning the "country" stands for "whatever reasons he has".
I'll respect any reason.

But I want details, so I can can try to find real answers.

@bhjitsense said in Stay at 2.4.5-p1 or go to 2.5.2?:

I’m certain what he means by stuck ....

"He means" ? That's you filling in the blanks - like me ;)
I'm not sure your issue == his issue.

tohil

Hi guys

before we go to political and law's per country, I will share some more details with you about my installation.

There have been a lot of concerns and issues when 2.5.x came out, because of that lot people still stays at 2.4.5.

I just want some personal experience feedback from the commmunity.

my box run these packages:

Avahi
haproxy
pfBlockerNG
openvpn-client-export

thanks

Gertjan

@tohil said in Stay at 2.4.5-p1 or go to 2.5.2?:

Avahi
haproxy
pfBlockerNG
openvpn-client-export

I never saw / used HAProxy but I use Avaha, pfBlockerNG and openvpn-client-export.
Go for 2.5.2 right now !!

** But do take the classic precautions :
Mine are :
I've a USB stick ready with the current pfSense version.
I've my daily config file backups.
Before upgrading :
Inspect all log files, and look for less common messages.
Do a clean reboot of pfSense, and check if every service comes back operational.
If possible, check the entire boot up process from the console. Archive this 'console log'.
Check if the 'pkg' system is fully operational. That is, without actually typing Y (for yes), execute the commands from here Troubleshooting Upgrades and here Upgrade Guide.
Test for good DNS functionality.
Check disk space - processor load average.
All fine ?

Take your coffe/the/whatever, shut down the GUI, use the console, and type

13

and hit Enter.

Enjoy the ride.
Make photos (or better : have the log logged) if you see something you want to understand / ask about.

I'm doing this very procedure for a decade or so, and it just works out.
Remember : If you know how to go forward, you know how to go backwards.

tohil

Hi Guys...

okay I've hit the update button last night.... has been like pulling the trigger of a gun in your mouth... has gone absolutely wrong... and I had to spend the evening and this morning to get all things back online again...

it seems like an internaly routing issue with 2.5.2. also on startup there was a message after bringing the interfaces up,

route: route not found....

what I have done:

First run:

1. Created a backup of 2.4.5 config
2. reboot the box
3. Created an other Backup File
4. run upgrade which worked and rebootet
5. after upgrade there was no traffic passing the box from internal subnet to wan. local routing worked. default gw of wan interface was corretly set in routing table. wan monitoring has been disabled...
   I was able to ping 8.8.8.8 from pfsense box with wan interface as source. but if i changed the source interface to an internal interface it doesn't work. i saw passing traffic in the firewall log, but was not able to transfer any packet out the wan interface itself.

second run:

1. fresh 2.5.2 install
2. import config
3. same behavior

third....fourth...fifth run

1. fresh install 2.4.5_0
2. upgrade to 2.4.5_1 and import config. 2.4.5 is using 2.5.x as pkg source, what caused installation of 2.5.0 packages and webgui was killed then.... some php issues, because of versions conflicts i guess...

vjizzle

@tohil Hi!. Sorry it went sideways for you. I have upgraded my own pfsense from 2.4.5 p1 to 2.5.2 without a hitch. Running suricata, pfblockerng and openvpnclient export. I do have intel nics, would not trust anything else for pfsense.

tohil

@vjizzle Hi

thanks for your feedback... I've placed this topic in the forum:

https://forum.netgate.com/topic/165632/update-to-2-5-2-from-2-4-5-p1-no-traffic-from-lan-to-wan-anymore

I guess there must be something particular in the config....

Gertjan

This is an issue :

@tohil said in Stay at 2.4.5-p1 or go to 2.5.2?:

fresh 2.5.2 install
import config
same behavior

After the clean install :

1. Set up a password.
2. optional : Set up your WAN. As it uses DHCP by default, it will often already work.

Now, pfSense is up and running using the minimal one WAN one LAN setup. Updates, upgrades, DNS, routing etc etc etc, it works.

At this stage, when you import the config, things stop working, you know where the issue is.
"something in the config".

You can use a fresh 'clean' install', and set up functionality using the config file as a (manual) guide line.
Add functionality step by step.
You'll find issue queickly.
Report back with the failing step.

tohil

@gertjan Hi Gertjan

Thanks for your reply... I know that doing a step-by-step troubleshooting would be the best... but you should see my config.... no way to do that... it will take a lot of hours...

I'm still hopping someone have a solution for this....

Gertjan

@tohil said in Stay at 2.4.5-p1 or go to 2.5.2?:

but you should see my config.... no way to do that... it will take a lot of hours...

There is a 'rule' or even 'law' that you shouldn't break :

Keep it simple.

Complex systems are, by nature, complex to ........ (everything).

@tohil said in Stay at 2.4.5-p1 or go to 2.5.2?:

I'm still hopping someone have a solution for this....

Sure. It exists, among a couple of million others.
All what's left to be do is sifting out the ones that don't apply to you. That will be "millions" - 1.
You should share the logs, all details of the setup, so some one can test them out one by one, or some one recognizes details of your problem, and he will share the already known answers.
You might even find a unknown bug.

tohil

@gertjan said in Stay at 2.4.5-p1 or go to 2.5.2?:

ou should share the logs, all details of the setup, so some one can test them out one by one, or some one recognizes details of your problem, and he will share the already known answers.
You might even find a unknown bug.

I've currently out of standby devices, because I have to install them on new locations... and new ones have a hugh backlog... i will test with a spare device as soon as possible...