Procedure to offline update hot spare to latest revision?
-
I have a spare SG-1100 that is several software revisions old. I would like to power it up, give it a fixed IP address that won't conflict with my other (active) SG-1100, update the software in it and restore a backup to it from my active SG-1100.
Do we have a documented process for doing this? Also does the backup contain the default IP address, meaning once restored it would conflict with the active unit (I assume I'd do the restore from the console with the unit unplugged from the network)?
-
@nguser6947 How old? If it’s several versions Netgate will usually say to just install new.
Alternatively you could select the previous stable backup update branch and go to that version, then 23.01.
Restores will restore IPs also. You can change it after, or edit the config file before restoring.
-
Happy to install new.
Just looking for the procedure to follow so I do this correctly.
Thanks.
-
@nguser6947 the 1100 is here
https://docs.netgate.com/pfsense/en/latest/solutions/sg-1100/reinstall-pfsense.htmlYou could get the firmware and try the self upgrade. If it works, great, if not, you have a backup plan. Also important is bug https://redmine.pfsense.org/issues/13967 , another reason to have an image ready to install.
I would probably try 22.05 and then 23.01, vs direct to the latest.
Also
https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html
Definitely save a backup of your config. -
@steveits …and they paused 1100 due to that bug:
https://forum.netgate.com/post/1087901 -
@nguser6947 said in Procedure to offline update hot spare to latest revision?:
Happy to install new.
Just looking for the procedure to follow so I do this correctly.
Thanks.
Getting it up to speed in terms of firmware/config is not hard. The major problem is the possible packages you are using.
If you request the latest image from TAC, you can easily write that to a USB key, and add your latest config to the key, before you boot and reinstall the box from the key.
BUT: Part of completing the installation automatically, is that the box reboots and gets online to fetch any installed packages and reinstall them in the background. So if we are talking a completely offline backup box, you cannot complete the install.
Worse yet, if you are running a pfSense primary with a static WAN IP, you cannot complete the offline install unless you temporarely can remove the primary and insert the secondary on your WAN link to let it complete install with Internet Access through it’s configured static IP.
If your WAN is setup for DHCP, it can complete if you just connect WAN to a IP subnet that:1: Has Internet Access
2: Is not an interface i the restored pfSense Config (because WAN and the Interface then will have the same IP subnet).What you can do is complete the first part by reinstalling the box with your config and the let it reboot and fail installing the packages. Shut it down and put it on the shelf as a backup.
In case it needs to be put into service, the first thing you do after connecting it and powering it up with the WAN link connected, is goto: DIAGNOSTICS -> Backup/restore config, and press “Reinstall Packages”.
But it will take a few additional minutes, and you are not 100% insured against issues with package installs -
I have a new pfS behind my prod pfS with the test's WAN port plugged into my prod LAN getting a DHCP address, gave the test LAN a different subnet and installed from there. You can start fresh on the second box, update it as far as you can, then restore the original config, or install, update, reinstall pkgs, then restore config. HTH
-
@keyser The only package I'm using is pgblockerng.
-
I'll hold tight for a while.
-
@nguser6947 said in Procedure to offline update hot spare to latest revision?:
@keyser The only package I'm using is pgblockerng.
That is the best package for pSense - period.
But it is also the worst for what you are looking ti do. Because depending on your setup that will either autocreate and sort your firewall rules or create aliasset that cannot resolve when it’s not installed