To do 23.09 or not? That's the question.

KOM

@mdthibodeau Once upon a time I used to admire & support Apple, Microsoft, Bill Gates, Canonical, Elon Musk, RedHat, Reddit and many others. Then after seeing the shitty side for long enough, I got a bad taste in my mouth for them all. I'm pretty close to that point with Netgate. I don't relish throwing away 10+ years of knowledge and experience but it gets to the point where the philosophy, ethics and morals of a company just don't align with me anymore. I used to be a major contributor here years ago but pulled back after I started being displeased with Netgate. So many hours in these forums helping users on my own time for free. Now I just lurk. I used to recommend pfSense but I don't do that anymore either.

Ramosel

@KOM said in To do 23.09 or not? That's the question.:

I used to be a major contributor here years ago but pulled back after I started being displeased with Netgate. So many hours in these forums helping users on my own time for free. Now I just lurk. I used to recommend pfSense but I don't do that anymore either.

I've often wondered where you were... and yeah, you helped me a lot in my early days with pfSense, even when not a direct contact. Thanks! and hope you are well.

I agree but I also know in these times running a small business these days if fraught with issues and crap one shouldn't even need to worry about. Jamie and Jim have had their share of great moves and a few dumb ones. I do think they had to do something about this 3rd party thing... but not sure their first reaction was the best. The ones I really feel sorry for are the ones who bought the 3rd party boxes with the + software thinking they had something else. Oh, well.. Caveat Emptor!

Ramosel

@michmoor said in To do 23.09 or not? That's the question.:

OS upgrade went through without an issue.

Got to say I'm really feeling the lease utilization screen.......

Took me a bit to find that (cuz I was lazy and didn't scroll down through all my devices on the first place I looked).

That will be quite handy, I just wish they had put it at the top... or at least given us the option to put it at the top. Nice "at a glance" readout.

Ramosel

@mcury said in To do 23.09 or not? That's the question.:

It seems that this version is using less RAM in comparison to 23.05.1 ?

I saw your post this last night but I wanted to wait before I responded.... I was hoping you were right, and it seems you are.

Up until 23.05.1 my system (sg-4860 with 8G RAM) had run with about 15-18% RAM use consistently. After 23.05.1 mem usage bumped up to 22-24% consistently. I looked and played with all sorts of settings, finally reverting back to my original config and just figured it's the new normal. It's been 22-24% for months now. Immediately after this update my system was reporting 55% but after a few pfBlockerNG updates it dropped into the low 30s. It's run a few more hours and it's down to 15% right now. They fixed something!!

mcury

@Ramosel I'm observing something around 10-15% less RAM usage in my system.

SteveITS

@chudak May be an issue with "URL (IPs)" aliases not working:
https://forum.netgate.com/topic/183882/unresolvable-source-alias-after-upgrade-to-23-09/16

yon 0

if your need use X25519 for openvpn, then 23.09 default not support it

johnpoz

@yon-0 said in To do 23.09 or not? That's the question.:

then 23.09 default not support it

That is more of openvpn thing than any specific issue with 23.09 is it not?

yon 0

@johnpoz

need edit openvpn.inc file allow x25519 cert. delete pfsense limit it code. This is an example after deletion

foreach ($a_cert as $cert) {
		
		$properties = array();
		$propstr = "";
		$ca = lookup_ca($cert['caref']);
		$purpose = cert_get_purpose($cert['crt'], true);

yon 0

Also I can't find out why the LAN interface cannot be routed out of the WAN interface.

Screenshot of pf- Diagnostics_ Traceroute.jpg

mcury

Noticed two things.

If you upgraded from previous versions to 23.09, If you run zpool scrub pfSense, it will say that: Some supported and requested features are not enabled on the pool.
The pool was OK with 23.05.1, but now getting this message.
So, I decided to perform a clean install just to confirm and now this message is gone.

Second thing I noticed is that the storage IO is lower with this version, I'm not sure if its because I switched from ISC to KEA, but I'm getting around 40% reduction in the writes.

[23.09-RELEASE][root@pfsense.home.arpa]/root: iostat -x
                        extended device statistics
device       r/s     w/s     kr/s     kw/s  ms/r  ms/w  ms/o  ms/t qlen  %b
nda0           0       5      0.7     34.5     0     0     0     0    0   0
pass0          0       0      0.0      0.0     0     0     0     0    0   0

As you can see above, 34.5 while before upgrading, it was around 52.

Gertjan

@all

#metoo, why wait if I can click on Upgrade right now ?
Don't.
Before hitting Upgrade, take 2 minutes to prepare :
A backup of the config file,
I've the ZFS file system, So I created a "23.09" Boot Environments - and booted into it.
Step 2 eliminates step 3 : before every major system upgrade, reboot your pfSense first, and while doing so, look at the console output. Even if its all "chinese" for you.

When done - and as promised, you're 2 minutes later : hit de Upgrade button.

For people that like to have some assurance : check if you have than ISO ready on USB drive, so you can go back whatever happened.
Further more : consider yourself not ready to upgrade if you've found anything that you didn't understand while reading - all - these :

If you like to know more - go here.

Edit : for me it's 23.09 since last Monday.
Even my VPN remote access works fine.

I've checked all the logs files since, and found just this one :

I'm using a Netgate 4100 :

SteveITS

@mcury said in To do 23.09 or not? That's the question.:

If you run zpool scrub pfSense, it will say that: Some supported and requested features are not enabled on the pool.

Is this the pool upgrade note as mentioned in the release notes, under "danger"? :)

Phizix

I think I am going to hold off for about a month on my SG-5100 cause if it ain't broke don't fix it.

mcury

@SteveITS said in To do 23.09 or not? That's the question.:

@mcury said in To do 23.09 or not? That's the question.:

If you run zpool scrub pfSense, it will say that: Some supported and requested features are not enabled on the pool.

Is this the pool upgrade note as mentioned in the release notes, under "danger"? :)

Thanks SteveITS, somehow I missed that 23.05.1 - New Features and Changes info.

tman222

Upgraded two machines from 23.05.1 to 23.09 earlier this week - both finished the upgrade easily in under 5 minutes. No issues to report so far. Enabled the Kea DCHP server - looks to be working great. Logs for it seem a bit more chatty (verbose) though than the prior DHCP server. Also saw the new Intel Speed Shift settings on one of the machines and enabled / configured those as well - working fine so far. Thank you to the whole Netgate team for another great release!

Phizix

Sometime earlier this year or late last year I reloaded from scratch to use ZFS on my SG-5100. Updating to 23.05.1 went without a hitch.

I may still wait. Anyone run their SG-5100 through the update?

Also, I currently only run IPV4 on my internal network and use NAT. Any upgrade issues on that front?

Phizix

johnpoz

Pulled trigger on update few minutes ago.. Looks like it took about a total of 16 minutes from time hit confirm on update to having internet again on my sg4860

I have not checked out every package or services, etc. But pfsense has rebooted and up and showing 23.09 - and my vpn client connected, my HE tunnel shows connected and looks like all my services are running from the service widget page..

Haven't checked yet if tailscale, my openvpn server, etc. is all running... But sure looks like a very successful update, which from my experience is the norm with pfsense..

I didn't bother uninstalling any packages.. I made sure had image from tac for 23.09, I took backup configs, and connected via serial to watch the upgrade in realtime, etc..

Big thumbs up from me.. I will report back after I have chance to make sure freerad, openvpn, tailscale, haproxy, etc are all up and running.. etc..

edit: so freerad clearly working because my phone was able to auth to the wifi with eap-tls, it also was able to connect to openvpn server via cell connection and could ping device on my network. And haproxy is working.. Tailscale shows status of online in pfsense and connected from my phone on cell and able to ping device on my network.. So far sure looks a very successful and clean update..

Checked my throughput to internet, and fine 500/50 without any issues. Which is my plan from my isp.

chudak

Finally came home and also upgraded to 23.09.
Took me a little longer ~30 min as I had to do a hard reboot after ~20 min as the resolver did not seem to work well.
But after that all seemed OK, checked WG, OpenVPN, and TaleScale.

No obvious errors so far. CPU temperature looks a bit higher, but that may be related to the upgrade itself.

I did remove Data Encryption Algorithms that were mentioned as incompatible in the release notes prior to upgrading.
I have now left these:

Gertjan

@chudak said in To do 23.09 or not? That's the question.:

I have now left these:

Remember to export (and import) new client opvn file(s).

@chudak said in To do 23.09 or not? That's the question.:

as the resolver did not seem to work well.

Any details (from the logs) available why it didn't restart ?
It was marked as stopped in the GUI , Restating from the GUI wasn't possible ?