Is it *always* good to update pfSense?
-
So I update my iPhone etc when a new version (.dot release or dot.dot release) comes out. But how about pfSense? I just updated my SG-2100 from 24.03 to 24.11. I never wondered if there could be reasons not to upgrade. Are there? If so I’d like to know why. Any good read available? Feel free to share your thoughts on the matter.
Thanks!
Pete
Home: SG-2100 + UniFi + Synology. SG-1100 retired
Parents: SG-1100 + UniFi + Synology
Testing: SG-1100 w/ 120GB SSD via ext USB (eMMC dead). Works great -
I'd say it's good practice to keep core infrastructure up to date, a device on the edge like a firewall is almost imperative to keep patched to the most up to date.
Netgate provide release notes with every update to tell you what they've added/improved/fixed.
There aren't really any reasons to not keep firewalls up to date in my eyes, if a business is scared of downtime then they need to be equally scared of breaches due to unpatched internet facing appliances.
-
@Cabledude Risk of new problems I suppose. You can mitigate that by waiting a few weeks or until the System Patches package is updated/released for it. Though you’d have to monitor the packages forum here for that.
-
@SteveITS said in Is it *always* good to update pfSense?:
@Cabledude Risk of new problems I suppose. You can mitigate that by waiting a few weeks or until the System Patches package is updated/released for it. Though you’d have to monitor the packages forum here for that.
Thank you Steve. I am mostly not an early adopter when it comes to new releases with new features. From nov 2024 it's been 4 months coming so I figured I'd give 24.11 a spin, even though I had a very stable SG-2100 running 24.03.
Given the large number of patches I might have waited a bit longer I suppose. Well I guess I'll just apply all and see how we go.
-
For critical infrastructure (such as a router/firewall), or heck almost anything, I'm in the "always upgrade unless there's a showstopping issue or regression" camp. I tend to read the release notes and make a plan to backup and upgrade. If I'm anxious, I'll monitor the forums in the first week for any reports of upgrade woes or gotchas people experience, then I pull the trigger and do it (after a thorough backup and allowing time for rollback).
There's usually enough bug fixes and security fixes and new features/updated packages/updated FreeBSD alone that I really look forward to upgrading.
Re: your question in the OP on "reasons not to upgrade," only if there's major showstoppers or breaking changes or if people report hiccups in the forums.
Oh, one thing that I've learned to do with the past several upgrades is to manually do another 1-2 reboots after a successful upgrade, since there's some weirdness sometimes on the very first boot after applying the upgrade (e.g. crazy high RAM usage) that completely resolves after rebooting another time or two. Besides the pre-upgrade backup, I also perform a post-upgrade backup.
-
My 5 cents :
Is it always good to update pfSense?
Yes, it is.
That is : do not update / upgrade the moment it comes out.
Take your phone, set a rdv at 'now' + 2 weeks.
During these two weeks, look at all the forum message that talk about this new version.
If issues are mentioned, like "FreeRadius plays hardball with the new PEAP protocol when using vlan and radius capable access points" then you know : that issue won't concern you.
If it says : "the DHCP client on WAN doesn't work anymore" then you now there's a show stopper out there, and you change de rdv set to "2 weeks" and make that "1 month" and you go back to normal live for the rest of the month.When you use the same version as everybody else, you have one huge advantage : if you find an issue, you can't be the first one that found this issue. So ... your issue is already handled and answered on the forum.
Issues can't survive if hundreds of thousands of user have the same issue : they get dealt with.If you use pfSense Plus, you have ZFS, live gets even easier on you : create a new boot environment, boot into it, and then upgrade. Something doesn't please you and you have no time dealing with it on the spot : boot back into the previous environment and call it a day, deal with it later. "Let the forum tell you later what to do".
The ZFS file system allows me to use the Beta versions, which is normally a big no-no if pfSense is used in a production environment** as I know I can get back to a working condition the time it takes to reboot, 60 seconds or so ?!I would the contrary is valid : if you have enough expertise, enough time to lose, you feel right at home at the command line, editing a script file here, patch something else there, you know the basics of the OS used (FreeBSD), you control the sate of your router regulatory, always on the look out the event in the system logs that is 'new' or 'strange', then, yeah, you might be qualified for the "I don't upgrade' option.
Guess what ? Experts and the ones who know what they are doing, don't do this
** or a simple 'home' setup and you have 15 years old as network clients, then using the Beta version can condemn you to sleep in the dog house.
-
Thank you @Finger79 and @Gertjan ,
I will be a good dog and “update unless” and look at the release Notes.
As for 24.11 on my SG-2100, I am disappointed because the dashboard has become quite slow. As I don’t look at my netgate most days of the week (or month), this is not a major issue, so I’ll just stick with it now and see how things develop. But it does concern me slightly because the light ARM cpu appears to have become the bottleneck here (I have the 128GB SSD version) and it’s only 1 year old so I’m looking to keep using it for at least another 5 years, hopefully more.
-
@Cabledude https://docs.netgate.com/pfsense/en/latest/releases/25-03.html#dashboard
-
@SteveITS said in Is it *always* good to update pfSense?:
https://docs.netgate.com/pfsense/en/latest/releases/25-03.html#dashboard
Thanks Steve,
The Redmine log appears to be quite positive. Meanwhile I reversed this patch:Subject: [PATCH] Refresh widgets at specified intervals. Fix #15725which made it a little bit better, but I am pleased to see that 25.03 will bring a definitive fix.
