How upgrade from 2.4 (with OpenBGP) to 2.6 ?

minimos

We'd like to update our HA pair of pfSense (CE) 2.4.3 to 2.6.
Out of the few additional packages installed, probably the critical one is OpenBGP, which should be changed to FRR in 2.6.
I'd mention here also that we use OpenVPN (as I saw some issues with FRR reported in the past)

If I understand correctly, the upgrade process for a pair is:

Backup secondary
Upgrade secondary to 2.6
Backup again secondary
Disable CARP + failover primary
Backup primary
Upgrade primary to 2.6
Backup primary
Reactivate CARP

In this schema, how to handle the change OpenBGP -> FRR,
possibly without losing connectivity for too long.

jimp

The smoothest transition would be to move to FRR before you upgrade anything, rather than after. Then you can be reasonably sure that things are working on FRR and will continue to do so after updating.

You'll need to make sure your upgrade branch is pointed at 2.4.x before touching packages, though. You don't want it to try pulling in FRR from 2.6.x on top of what you have now.

I'd do something like this:

Take backups of both
Disable HA config sync
Setup FRR on secondary
Put primary in maintenance mode and test FRR config, fix whatever needs fixing, etc.
Move primary to FRR
Fail back to primary and test and so on
Re-enable HA config sync
Take backups again
Proceed on to the usual HA upgrade path

There may be some snags there, like I mentioned being sure it's getting the right packages on a version that old.

The alternative would be to go scorched earth and upgrade/reinstall both with 2.6 and configure FRR afterward but you would need a bigger maintenance window there as you'd have a lot more downtime involved.

minimos

@jimp Thanks! Are the packages for 2.4.x still available? Unless there is some misconfiguration on the pfSense (DNS settings?), the Package Manager doesn't detect any upgradable or available package to install.

jimp

I don't think I have any installs that old around to check. The branches should still be on the servers, though you might have to go into the update settings and make sure it's set to stay on that old/legacy version. If it tries to pull packages from the default place they'd be coming from the next version up or whatever it's trying to upgrade you to.

If that is the case it might be more trouble than it's worth to try touching the packages where it is.

minimos

@jimp You are correct. If I switch the update settings to the old/deprecated 2.4.5 the f/w can see some available packages (and also updates for the installed ones).

minimos

EDIT: However, from a quick test with a pfsense 2.4.3+2.4.4 installed on Virtualbox, it seems that from 2.4.3 (which we have running) to 2.4.4 php has been updated from 5.6 to 7.2 and so the package manager would refuse to install packages in the repository for pfsense 2.4.5 on a 2.4.3 installation.
So probably a first general upgrade 2.4.3 -> 2.4.5 might be needed.

stephenw10

You might be able to do it for force reinstalling the repo pkg from:
https://pkg00-atx.netgate.com/pfSense_v2_4_3_amd64-pfSense_v2_4_3/All/pfSense-repo-2.4.3_4.txz

Then selecting previous version. However even that looks like it's set to use 2.4.4.
So maybe:
https://pkg00-atx.netgate.com/pfSense_v2_4_2_amd64-pfSense_v2_4_2/All/pfSense-repo-2.4.2_3.txz

Or create a custom repo conf file:

FreeBSD: { enabled: no }

pfSense-core: {
  url: "pkg+https://pkg.pfsense.org/pfSense_v2_4_3_amd64-core",
  mirror_type: "srv",
  signature_type: "fingerprints",
  fingerprints: "/usr/local/share/pfSense/keys/pkg",
  enabled: yes
}

pfSense: {
  url: "pkg+https://pkg.pfsense.org/pfSense_v2_4_3_amd64-pfSense_v2_4_3",
  mirror_type: "srv",
  signature_type: "fingerprints",
  fingerprints: "/usr/local/share/pfSense/keys/pkg",
  enabled: yes
}