Stay at 2.4.5-p1 or go to 2.5.2?

Gertjan

@jdeloach said in Stay at 2.4.5-p1 or go to 2.5.2?:

What issues is he having?

You get my point.
I didn't saw any details.

@bhjitsense I won't / can't discus the real reasons.
Me mentioning the "country" stands for "whatever reasons he has".
I'll respect any reason.

But I want details, so I can can try to find real answers.

@bhjitsense said in Stay at 2.4.5-p1 or go to 2.5.2?:

I’m certain what he means by stuck ....

"He means" ? That's you filling in the blanks - like me ;)
I'm not sure your issue == his issue.

tohil

Hi guys

before we go to political and law's per country, I will share some more details with you about my installation.

There have been a lot of concerns and issues when 2.5.x came out, because of that lot people still stays at 2.4.5.

I just want some personal experience feedback from the commmunity.

my box run these packages:

Avahi
haproxy
pfBlockerNG
openvpn-client-export

thanks

Gertjan

@tohil said in Stay at 2.4.5-p1 or go to 2.5.2?:

Avahi
haproxy
pfBlockerNG
openvpn-client-export

I never saw / used HAProxy but I use Avaha, pfBlockerNG and openvpn-client-export.
Go for 2.5.2 right now !!

** But do take the classic precautions :
Mine are :
I've a USB stick ready with the current pfSense version.
I've my daily config file backups.
Before upgrading :
Inspect all log files, and look for less common messages.
Do a clean reboot of pfSense, and check if every service comes back operational.
If possible, check the entire boot up process from the console. Archive this 'console log'.
Check if the 'pkg' system is fully operational. That is, without actually typing Y (for yes), execute the commands from here Troubleshooting Upgrades and here Upgrade Guide.
Test for good DNS functionality.
Check disk space - processor load average.
All fine ?

Take your coffe/the/whatever, shut down the GUI, use the console, and type

13

and hit Enter.

Enjoy the ride.
Make photos (or better : have the log logged) if you see something you want to understand / ask about.

I'm doing this very procedure for a decade or so, and it just works out.
Remember : If you know how to go forward, you know how to go backwards.

tohil

Hi Guys...

okay I've hit the update button last night.... has been like pulling the trigger of a gun in your mouth... has gone absolutely wrong... and I had to spend the evening and this morning to get all things back online again...

it seems like an internaly routing issue with 2.5.2. also on startup there was a message after bringing the interfaces up,

route: route not found....

what I have done:

First run:

1. Created a backup of 2.4.5 config
2. reboot the box
3. Created an other Backup File
4. run upgrade which worked and rebootet
5. after upgrade there was no traffic passing the box from internal subnet to wan. local routing worked. default gw of wan interface was corretly set in routing table. wan monitoring has been disabled...
   I was able to ping 8.8.8.8 from pfsense box with wan interface as source. but if i changed the source interface to an internal interface it doesn't work. i saw passing traffic in the firewall log, but was not able to transfer any packet out the wan interface itself.

second run:

1. fresh 2.5.2 install
2. import config
3. same behavior

third....fourth...fifth run

1. fresh install 2.4.5_0
2. upgrade to 2.4.5_1 and import config. 2.4.5 is using 2.5.x as pkg source, what caused installation of 2.5.0 packages and webgui was killed then.... some php issues, because of versions conflicts i guess...

vjizzle

@tohil Hi!. Sorry it went sideways for you. I have upgraded my own pfsense from 2.4.5 p1 to 2.5.2 without a hitch. Running suricata, pfblockerng and openvpnclient export. I do have intel nics, would not trust anything else for pfsense.

tohil

@vjizzle Hi

thanks for your feedback... I've placed this topic in the forum:

https://forum.netgate.com/topic/165632/update-to-2-5-2-from-2-4-5-p1-no-traffic-from-lan-to-wan-anymore

I guess there must be something particular in the config....

Gertjan

This is an issue :

@tohil said in Stay at 2.4.5-p1 or go to 2.5.2?:

fresh 2.5.2 install
import config
same behavior

After the clean install :

1. Set up a password.
2. optional : Set up your WAN. As it uses DHCP by default, it will often already work.

Now, pfSense is up and running using the minimal one WAN one LAN setup. Updates, upgrades, DNS, routing etc etc etc, it works.

At this stage, when you import the config, things stop working, you know where the issue is.
"something in the config".

You can use a fresh 'clean' install', and set up functionality using the config file as a (manual) guide line.
Add functionality step by step.
You'll find issue queickly.
Report back with the failing step.

tohil

@gertjan Hi Gertjan

Thanks for your reply... I know that doing a step-by-step troubleshooting would be the best... but you should see my config.... no way to do that... it will take a lot of hours...

I'm still hopping someone have a solution for this....

Gertjan

@tohil said in Stay at 2.4.5-p1 or go to 2.5.2?:

but you should see my config.... no way to do that... it will take a lot of hours...

There is a 'rule' or even 'law' that you shouldn't break :

Keep it simple.

Complex systems are, by nature, complex to ........ (everything).

@tohil said in Stay at 2.4.5-p1 or go to 2.5.2?:

I'm still hopping someone have a solution for this....

Sure. It exists, among a couple of million others.
All what's left to be do is sifting out the ones that don't apply to you. That will be "millions" - 1.
You should share the logs, all details of the setup, so some one can test them out one by one, or some one recognizes details of your problem, and he will share the already known answers.
You might even find a unknown bug.

tohil

@gertjan said in Stay at 2.4.5-p1 or go to 2.5.2?:

ou should share the logs, all details of the setup, so some one can test them out one by one, or some one recognizes details of your problem, and he will share the already known answers.
You might even find a unknown bug.

I've currently out of standby devices, because I have to install them on new locations... and new ones have a hugh backlog... i will test with a spare device as soon as possible...