Unplug WAN before device flash?

furom

Hi,

had my fair share of reinstalls between 22.05 and 23.01 and wonder what the normal, or best practice even for this might be. I usually download what I need locally and then unplug WAN. But as good as it may be, also comes with implications of not being able to download latest patches, packages and what-not during install. So, does the Netgate block WAN as usual during flash/setup procedures, or is it in fact a good or necessary strategy to unplug?

And while at it, which is the recommended method? Upgrading or bare-metal flash?

SteveITS

@furom Installs do reinstall packages (though upgrade advice is to uninstall yourself first, and reinstall after). So I would not disconnect WAN. Restores will also install packages in the restored config file.

Normally there is no problem upgrading. Upgrading doesn't replace the file system so for instance when ZFS became the default (on most hardware) it needs a new install. If something goes haywire during the upgrade then reinstalling and restoring from backup config is often the fastest and most reliable way to recover. I've only had that problem I think twice in about 15 years on all our clients, not counting the current bug on the older models 1100/2100 upgrading to 23.01.

furom

@steveits agreed. I usually prefer the upgrade over bare-metal too. Over the years I have seen it as a last resort "when all else failed". But now even that gave me a bit och challenge. @stephenw10 spotted the issue quickly though. :)

Dobby_

@furom

It all depends also where you are using this firewall in my eyes! If you use it in production case it is better to have a spare unit or testing unit or perhaps a HA setup that you
can swap over in the case of problems and for the private
usage it might be not really interesting. In both cases a backup and settings backup may be the best.

I prefer to install 2.7 (zfs) and then upgrade to 23.01 RC
installing the packets and reinstall the setting backup.

furom

@dobby_ said in Unplug WAN before device flash?:

It all depends also where you are using this firewall

Good point! Totally agree that the environment it is used in is key to what procedure would be preferred in most cases. Point of my question here was mainly to find out if my network is vulnerable during the flash process, ie is my network still safe with a half installed netgate device between my network and the internet... Perhaps I'm being just a tiny bit too paranoid, but I do take security seriously, and not claiming to know or assume I know it all... Just curious and want to learn best practice whenever I can :)

SteveITS

@furom OK I understand your question now. My impression is it downloads, then installs during the reboot so I would think everything would be off at that point. You can try pinging out during the reboot but I fully expect nothing is routing in that state.

The word "flash" I usually associate with a firmware update as opposed to a software update. That's closer to how the Netgate ARM devices work where you boot to a Marvell> prompt and run a process to copy the image from USB to the hard drive. In that state no OS is running, so no routing.

furom

@steveits said in Unplug WAN before device flash?:

In that state no OS is running, so no routing

Perfect, this was what I was after. Thank you