Searching network details related to pfsense updates
-
Hi All,
I am using a bunch of pfsense+ boxes (NG-1100 & NG-6100) on an internal network.
I would like to be able to update these boxes. I see a few options:
(1) The easy way (but not allowed by my organization and therefore not an option): Disconnect the boxes and connect them to an internet facing network, perform the update then disconnect and connect to the internal network again.
(2) From each box, setup an additional network connection (using an unused network port) between to an internet facing network, perform the update then disconnect again.
(3) Download the update (OS & packages) and using a USB stick move them to this internal network then perform an installation.As stated above my organization does not allow option (1). Option (3) is the preferred solution but I have no clue as to how to do this. Option (2) will lead to a discussion but if I come up with list of protocols and sites it might be allowed.
Can anyone help here? Maybe shed some light on how option (3) would be possible or if that turns out impossible some details as to what (sites, protocols, etc) exactly is used when a pfsense+ box is updating. Yes, I know I could trace internet traffic while a device is updating but (a) this is a lot of work to setup then analyse and (b) potentially incomplete because the traced update likely does not update everything potentially resulting in some site / protocol not being used and therefore not captured by my trace.
I hope someone can help
-
Option 3 is quite straight forward. Backup the config files. Boot from the recovery image on a USB drive and install the new version. Restore the config.
Open a ticket to get the recovery images: https://www.netgate.com/tac-support-requestThe only issue with that is it will not be able to pull in any packages if you are using any.
Steve
-
@stephenw10
Hi Steve,Thanks for the reply.
I do use packages so option 3 is a no-go if packages are not possible that way. The question then goes back to details as to what (sites, protocols, etc) exactly is used when a pfsense+ box is updatingI hope someone can help.
-
It should be sufficient to allow https to 208.123.73.0/24. As long as DNS works locally.