Nanobsd upgrade from 2.0.1 to 2.1 using web GUI



  • can any1 confirm upgrading from nanobsd 2.0.1 to 2.1 works as of now without issues using the auto update in pfsense web GUI?


  • Rebel Alliance Developer Netgate

    It worked last time I tried it a couple months ago, is there some specific problem you've had with the process before that you're worried about?



  • i havent tried because the last time i did from v1.2 to 2 it almost broke my system, good thing i had a config backup but i lost the file patches i had so wanted to confirm if any1 had tried it. i also hope the below things work after the upgrade as they r main things i use as of now

    pppoe
    wifi access point
    alias
    advanced outbound NAT
    firewall rules
    schedules
    traffic shaper
    limiter
    dhcp server with static arp
    upnp
    openvpn client
    cron package

    it would be good to be able to take a system image from the gui rather than just a config backup.


  • Rebel Alliance Developer Netgate

    You can make a system image in the GUI on 2.1 when doing an auto update there is a checkbox to make a full backup image (Or you can use /etc/rc.create_full_backup on 2.0.x as well).

    I use all of the things you mention actively on 2.1 except for static arp. Though as far as I know that code hasn't changed so I don't have any reason to suspect it's broken.



  • can u provide me the complete commands list based on nanobsd as i guess the system will be read only so it wont save the image, once image is created i would need to downlaod it from the box and a way to restore also would be appreciated


  • Rebel Alliance Developer Netgate

    Just /etc/rc.create_full_backup - it'll work on NanoBSD if you do /etc/rc.conf_mount_rw first, but it'd probably be pretty slow.

    If you're that worried, just image a fresh CF with 2.1 and then restore your config there. If it goes bad, just swap the CF back.



  • this is what i get when i run it from console

    [2.0.1-RELEASE][root@firewall.xbipin]/root(1): /etc/rc.create_full_backup
    >>> Creating full backup to /root/pfSense-full-backup-20120828-1747.tgz
    tar: Failed to open '/root/pfSense-full-backup-20120828-1747.tgz'
    >>> Backup completed.  Note: this backup includes config.xml!
    >>> To restore this backup run this command:
        /etc/rc.restore_full_backup /root/pfSense-full-backup-20120828-1747.tgz
    [2.0.1-RELEASE][root@firewall.xbipin]/root(2):
    

  • Rebel Alliance Developer Netgate

    Did you run /etc/rc.conf_mount_rw first?



  • ok that worked but i go these errors or warning

    [2.0.1-RELEASE][root@firewall.xbipin]/root(1): /etc/rc.conf_mount_rw
    [2.0.1-RELEASE][root@firewall.xbipin]/root(2): /etc/rc.create_full_backup
    >>> Creating full backup to /root/pfSense-full-backup-20120828-1911.tgz
    tar: --exclude: Cannot stat: No such file or directory
    tar: --exclude: Cannot stat: No such file or directory
    tar: var/run/*: Cannot stat: No such file or directory
    tar: --exclude: Cannot stat: No such file or directory
    tar: root/*: Cannot stat: No such file or directory
    tar: --exclude: Cannot stat: No such file or directory
    tar: var/empty/*: Cannot stat: No such file or directory
    tar: --exclude: Cannot stat: No such file or directory
    tar: var/empty: Cannot stat: No such file or directory
    tar: --exclude: Cannot stat: No such file or directory
    tar: var/etc: Cannot stat: No such file or directory
    tar: /var/dhcpd/var/run/log: tar format cannot archive socket
    tar: /var/run/check_reload_status: tar format cannot archive socket
    tar: /var/run/log: tar format cannot archive socket
    tar: /var/run/devd.pipe: tar format cannot archive socket
    tar: /var/run/logpriv: tar format cannot archive socket
    tar: /var/run/hostapd/ath0_wlan0: tar format cannot archive socket
    tar: /var/etc/openvpn/client1.sock: tar format cannot archive socket
    tar: /tmp/php-fastcgi.socket-0: tar format cannot archive socket
    tar: /tmp/php-fastcgi.socket-1: tar format cannot archive socket
    tar: /root/pfSense-full-backup-20120828-1911.tgz: Can't add archive to itself
    tar: Error exit delayed from previous errors.
    >>> Backup completed.  Note: this backup includes config.xml!
    >>> To restore this backup run this command:
        /etc/rc.restore_full_backup /root/pfSense-full-backup-20120828-1911.tgz
    

  • Rebel Alliance Developer Netgate

    That's probably fine then, the errors are normal as certain things can't be backed up. Though if you want to check, you can download a copy and then later on try to restore it with /etc/rc.restore_full_backup



  • the upgrade went smooth, though few problems, i keep getting an error for this rule i have for icmp

    	[ There were error(s) loading the rules: /tmp/rules.debug:165: illegal dscp value EFpfctl: Syntax error in config file: pf rules not loaded - The line in question reads [165]: match proto icmp from any to any dscp EF queue (qOthersHigh) label USER_RULE: ICMP]
    
    Aug 29 04:54:59 	php: : There were error(s) loading the rules: /tmp/rules.debug:165: illegal dscp value EF pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [165]: match proto icmp from any to any dscp EF queue (qOthersHigh) label "USER_RULE: ICMP"
    
    Aug 29 04:55:08 	php: : The command '/usr/local/sbin/relayd -f /var/etc/relayd.conf' returned exit code '1', the output was '/var/etc/relayd.conf:7: syntax error no redirections, nothing to do unused protocol: dnsproto'
    Aug 29 04:55:10 	check_reload_status: rc.newwanip starting ovpnc1
    Aug 29 04:55:12 	check_reload_status: Updating all dyndns
    Aug 29 08:55:36 	php: : The command '/sbin/pfctl -o basic -f /tmp/rules.debug' returned exit code '1', the output was '/tmp/rules.debug:185: illegal dscp value EF pfctl: Syntax error in config file: pf rules not loaded'
    Aug 29 08:55:39 	php: : New alert found: There were error(s) loading the rules: /tmp/rules.debug:185: illegal dscp value EF pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [185]: match proto icmp from any to any dscp EF queue (qOthersHigh) label "USER_RULE: ICMP"
    Aug 29 08:55:39 	php: : There were error(s) loading the rules: /tmp/rules.debug:185: illegal dscp value EF pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [185]: match proto icmp from any to any dscp EF queue (qOthersHigh) label "USER_RULE: ICMP"
    Aug 29 04:55:44 	php: : The command '/sbin/pfctl -o basic -f /tmp/rules.debug' returned exit code '1', the output was '/tmp/rules.debug:185: illegal dscp value EF pfctl: Syntax error in config file: pf rules not loaded'
    Aug 29 04:55:44 	php: : New alert found: There were error(s) loading the rules: /tmp/rules.debug:185: illegal dscp value EF pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [185]: match proto icmp from any to any dscp EF queue (qOthersHigh) label "USER_RULE: ICMP"
    Aug 29 04:55:44 	php: : There were error(s) loading the rules: /tmp/rules.debug:185: illegal dscp value EF pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [185]: match proto icmp from any to any dscp EF queue (qOthersHigh) label "USER_RULE: ICMP"
    
    

    other than that i had to goto the wan interface and click save so pppoe would connect coz after upgrade it was connected but pfsense wasnt routing packets to and from the internet



  • the other issue after upgrade was that i had cron package installed earlier on 2.0.1, it didnt reinstall after upgrade but due to its info present in the config, the cron link shows under services tab but when u try to configure says not found. after reinstalling it manually then it starts working



  • some other issue, my openvpn client account is connected but im not able to route through it at all, under status gateway keeps saying status as pending, i guess it has some issue related to ipv6 as my isp is totally ipv4 so basically i dont use ipv6 as of now



  • the issue related to openvpn client is, earlier i had 2 entries under system->routing, one for wan and other for openvpn, both dynamic IP but after the upgrade, i see an extra one for openvpn client with ipv6 although i have set ipv6 config type to non for interface configured for openvpn as well as blocked ipv6 from system->advanced->networking and to be able to route packets through this tunnel i have to edit the openvpn ipv6 entry and set it to disale monitoring then only will i be able to route through the tunnel and also the routing entry for openvpn ipv4, i have set monitoring ip but under status->gateway it keeps showing status as pending, it actually doesnt monitor



  • the other issue which few others mentioned about slowness, its true and the web gui seems to work very slow compared to older versions as well as i noticed that when u issue some command through the serial console and at the same time u save or edit something on the web gui, both seem to freeze untill the web gui command has completed after which only the serial console will complete its task. im on the nanobsd on alix box


  • Rebel Alliance Developer Netgate

    DSCP issue seems to be a bug - will need some research but I am able to replicate it here

    NanoBSD slowness is a known issue, it only happens to certain CF cards, others are fast.

    Not sure why OpenVPN wouldn't be routing - that wouldn't have anything to do with the gateways under System > Routing for typical VPN usage. Even if it were being used in a Gateway Group it should still get used, iirc.

    The IPv6 gateway is automatic, and not hurting anything, safe to ignore.



  • DSCP issue meaning that cron package or status-> gateway issue?

    the openvpn created gateway keeps showing pending, even same for the ipv6 entry it creates and openvpn doesnt work due to that untill i set the ipv6 entry to disable monitoring, once done openvpn starts working but the ipv4 entry still keeps showing pending under gateway monitoring, in v2.0.1 the monitoring worked perfectly fine



  • can u recommend which CF card works fast so i can get that, already have 3 but is slow on all of them



  • also under status->system log->system->gateways i get a flood of this constantly

    Aug 29 18:19:06 	apinger: Error while feeding rrdtool: Broken pipe
    Aug 29 18:20:06 	apinger: rrdtool respawning too fast, waiting 300s.
    Aug 29 18:24:06 	apinger: Error while feeding rrdtool: Broken pipe
    Aug 29 18:25:06 	apinger: rrdtool respawning too fast, waiting 300s.
    Aug 29 18:29:06 	apinger: Error while feeding rrdtool: Broken pipe
    Aug 29 18:30:06 	apinger: rrdtool respawning too fast, waiting 300s.
    Aug 29 18:34:06 	apinger: Error while feeding rrdtool: Broken pipe
    Aug 29 18:35:06 	apinger: rrdtool respawning too fast, waiting 300s.
    Aug 29 18:39:06 	apinger: Error while feeding rrdtool: Broken pipe
    Aug 29 18:40:06 	apinger: rrdtool respawning too fast, waiting 300s.
    Aug 29 18:44:06 	apinger: Error while feeding rrdtool: Broken pipe
    Aug 29 18:45:06 	apinger: rrdtool respawning too fast, waiting 300s.
    Aug 29 18:49:07 	apinger: Error while feeding rrdtool: Broken pipe
    Aug 29 18:50:07 	apinger: rrdtool respawning too fast, waiting 300s.
    Aug 29 18:54:07 	apinger: Error while feeding rrdtool: Broken pipe
    Aug 29 18:55:07 	apinger: rrdtool respawning too fast, waiting 300s.
    Aug 29 18:59:07 	apinger: Error while feeding rrdtool: Broken pipe
    Aug 29 19:00:07 	apinger: rrdtool respawning too fast, waiting 300s.
    Aug 29 19:04:07 	apinger: Error while feeding rrdtool: Broken pipe
    Aug 29 19:05:07 	apinger: rrdtool respawning too fast, waiting 300s.
    Aug 29 19:09:07 	apinger: Error while feeding rrdtool: Broken pipe
    Aug 29 19:10:07 	apinger: rrdtool respawning too fast, waiting 300s.
    Aug 29 19:14:07 	apinger: Error while feeding rrdtool: Broken pipe
    Aug 29 19:15:07 	apinger: rrdtool respawning too fast, waiting 300s.
    Aug 29 19:19:07 	apinger: Error while feeding rrdtool: Broken pipe
    Aug 29 19:20:07 	apinger: rrdtool respawning too fast, waiting 300s.
    


  • also my openvpn client tunnel says this, so is there any way to disable ipv6 for openvpn client config?

    Aug 29 18:42:53 	openvpn[55431]: WARNING: 'tun-ipv6' is present in local config but missing in remote config, local='tun-ipv6'
    

  • Rebel Alliance Developer Netgate

    @xbipin:

    DSCP issue meaning that cron package or status-> gateway issue?

    DSCP meaning the filter reload error.

    Cron failure was probably due to the filter reload erorr or some other connectivity issue. Any test I've performed upgrading with packages was OK.

    @xbipin:

    the openvpn created gateway keeps showing pending, even same for the ipv6 entry it creates and openvpn doesnt work due to that untill i set the ipv6 entry to disable monitoring, once done openvpn starts working but the ipv4 entry still keeps showing pending under gateway monitoring, in v2.0.1 the monitoring worked perfectly fine

    The gateway entries there have -zero- to do with OpenVPN's internal routing, unless you have misconfigured something.

    @xbipin:

    can u recommend which CF card works fast so i can get that, already have 3 but is slow on all of them

    The only one I remember at the moment is that Sandisk 30MB/s 200x card was fast (4s to remount ro), but a Kingston 133x card was slow (45s to remount ro). See http://redmine.pfsense.org/issues/2401

    @xbipin:

    also under status->system log->system->gateways i get a flood of this constantly

    Aug 29 18:19:06 	apinger: Error while feeding rrdtool: Broken pipe
    Aug 29 18:20:06 	apinger: rrdtool respawning too fast, waiting 300s.
    Aug 29 18:24:06 	apinger: Error while feeding rrdtool: Broken pipe
    
    

    Those aren't the real issue, check the main system log. Something must be restarting the gateway monitoring at those times.

    @xbipin:

    also my openvpn client tunnel says this, so is there any way to disable ipv6 for openvpn client config?

    Aug 29 18:42:53 	openvpn[55431]: WARNING: 'tun-ipv6' is present in local config but missing in remote config, local='tun-ipv6'
    

    That harmless.



  • system log doesnt showing anything restarting it, but let me reboot and see.

    that ipv6 config for openvpn, is there some way to disable it completely even though its harmless

    config wise its all standard and all was working fine on 2.0.1, i simply upgraded to 2.1, the openvpn config also i read on pfsense forum and configured it as mentioned and worked flawless till now, do u want my config files for both versions?



  • the below error also is there related to a firewall rule i created for icmp, once i disable it the errors go and once i enable they come back

    Aug 29 04:55:44 	php: : New alert found: There were error(s) loading the rules: /tmp/rules.debug:185: illegal dscp value EF pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [185]: match proto icmp from any to any dscp EF queue (qOthersHigh) label "USER_RULE: ICMP"
    Aug 29 04:55:44 	php: : There were error(s) loading the rules: /tmp/rules.debug:185: illegal dscp value EF pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [185]: match proto icmp from any to any dscp EF queue (qOthersHigh) label "USER_RULE: ICMP"
    


  • the other thing i noticed was one error message after upgrading nanobsd and rebooting related to wrong file format

    FreeBSD/i386 (firewall.xbipin) (console)
    
    Broadcast Message from root@firewall.xbipin
            (no tty) at 10:29 GST...
    
    NanoBSD Firmware upgrade in progress...
    
    Broadcast Message from root@firewall.xbipin
            (no tty) at 10:29 GST...
    
    Installing /root/latest.tgz.
    
    Broadcast Message from root@firewall.xbipin
            (no tty) at 10:31 GST...
    
    NanoBSD Firmware upgrade is complete.  Rebooting in 10 seconds.
    
    *** FINAL System shutdown message from root@firewall.xbipin ***
    
    System going down IMMEDIATELY
    
    pfSense is now shutting down ...
    
    /libexec/ld-elf.so.1: /usr/local/lib/librrd.so.2: invalid file format
    tar: var/db/rrd/*.xml: Cannot stat: No such file or directory
    tar: Error exit delayed from previous errors.
    rm: /var/db/rrd/*.xml: No such file or directory
    ovpnc1: link state changed to DOWN
    pflog0: promiscuous mode enabled
    pflog0: promiscuous mode disabled
    Waiting (max 60 seconds) for system process `vnlru' to stop...done
    Waiting (max 60 seconds) for system process `bufdaemon' to stop...done
    Waiting (max 60 seconds) for system process `syncer' to stop...
    Syncing disks, vnodes remaining...0 0 done
    All buffers synced.
    Uptime: 8h31m27s
    usbus0: Controller shutdown
    uhub0: at usbus0, port 1, addr 1 (disconnected)
    usbus0: Controller shutdown complete
    usbus1: Controller shutdown
    uhub1: at usbus1, port 1, addr 1 (disconnected)
    usbus1: Controller shutdown complete
    Rebooting...
    


  • the errors related to openvpn gateway monitor, i rebooted the system and below r the logs, i see syntax erros related to relayd and some curl error and some messages that say impossibly lacks ifp

    Aug 30 10:33:42 	kernel: ovpnc1: link state changed to UP
    Aug 30 06:33:42 	check_reload_status: rc.newwanip starting ovpnc1
    Aug 30 06:33:46 	php: : ROUTING: setting default route to 195.229.252.27
    Aug 30 06:33:46 	php: : The command '/usr/local/sbin/relayd -f /var/etc/relayd.conf' returned exit code '1', the output was '/var/etc/relayd.conf:7: syntax error no redirections, nothing to do unused protocol: dnsproto'
    Aug 30 06:33:49 	check_reload_status: Updating all dyndns
    Aug 30 10:33:59 	php: : ROUTING: setting default route to 195.229.252.27
    Aug 30 06:34:00 	check_reload_status: Restarting ipsec tunnels
    Aug 30 06:34:00 	check_reload_status: Reloading filter
    Aug 30 10:34:00 	php: : DynDns: updatedns() starting
    Aug 30 10:34:00 	php: : DynDns debug information: 92.96.246.49 extracted from local system.
    Aug 30 10:34:00 	php: : running get_failover_interface for . found
    Aug 30 10:34:00 	php: : DynDns debug information: 92.96.246.49 extracted from local system.
    Aug 30 10:34:00 	php: : DynDns: Current WAN IP: 92.96.246.49 Cached IP: 92.96.222.121
    Aug 30 10:34:00 	php: : DynDns debug information: DynDns: cacheIP != wan_ip. Updating. Cached IP: 92.96.222.121 WAN IP: 92.96.246.49
    Aug 30 10:34:00 	php: : DynDns: DynDns _update() starting.
    Aug 30 10:34:00 	php: : DynDns: DynDns _checkStatus() starting.
    Aug 30 10:34:00 	php: : DynDns: Current Service: dyndns
    Aug 30 10:34:00 	php: : Curl error occurred: Couldn't bind to ''
    Aug 30 10:34:01 	php: : rc.newwanip: Informational is starting ovpnc1.
    Aug 30 10:34:01 	php: : rc.newwanip: on (IP address: 10.13.40.166) (interface: opt2) (real interface: ovpnc1).
    Aug 30 10:34:01 	php: : DynDns: updatedns() starting
    Aug 30 10:34:01 	php: : DynDns debug information: 92.96.246.49 extracted from local system.
    Aug 30 10:34:02 	php: : running get_failover_interface for . found
    Aug 30 10:34:02 	php: : DynDns debug information: 92.96.246.49 extracted from local system.
    Aug 30 10:34:02 	php: : DynDns: Current WAN IP: 92.96.246.49 Cached IP: 92.96.222.121
    Aug 30 10:34:02 	php: : DynDns debug information: DynDns: cacheIP != wan_ip. Updating. Cached IP: 92.96.222.121 WAN IP: 92.96.246.49
    Aug 30 10:34:02 	php: : DynDns: DynDns _update() starting.
    Aug 30 10:34:02 	php: : DynDns: DynDns _checkStatus() starting.
    Aug 30 10:34:02 	php: : DynDns: Current Service: dyndns
    Aug 30 10:34:02 	php: : Curl error occurred: Couldn't bind to ''
    Aug 30 10:34:06 	php: : Resyncing OpenVPN instances for interface WAN.
    Aug 30 10:34:11 	php: : pfSense package system has detected an ip change 0.0.0.0 -> ... Restarting packages.
    Aug 30 06:34:11 	check_reload_status: Starting packages
    Aug 30 10:34:11 	kernel: ovpnc1: link state changed to DOWN
    Aug 30 06:34:11 	check_reload_status: Reloading filter
    Aug 30 10:34:15 	php: : pfSense package system has detected an ip change 0.0.0.0 -> ... Restarting packages.
    Aug 30 10:34:39 	php: : Restarting/Starting all packages.
    Aug 30 10:34:40 	php: : The Cron package is missing its configuration file and must be reinstalled.
    Aug 30 10:34:41 	kernel: ovpnc1: link state changed to UP
    Aug 30 06:34:42 	check_reload_status: rc.newwanip starting ovpnc1
    Aug 30 06:34:51 	check_reload_status: Syncing firewall
    Aug 30 06:34:57 	php: : Beginning package installation for Cron .
    Aug 30 10:34:58 	php: : rc.newwanip: Informational is starting ovpnc1.
    Aug 30 10:34:58 	php: : rc.newwanip: on (IP address: 10.13.40.166) (interface: opt2) (real interface: ovpnc1).
    Aug 30 06:35:00 	check_reload_status: Reloading filter
    Aug 30 06:35:06 	check_reload_status: Syncing firewall
    Aug 30 10:35:16 	php: : Restarting/Starting all packages.
    Aug 30 10:35:34 	login: login on console as root
    Aug 30 10:35:34 	sshlockout[50405]: sshlockout/webConfigurator v3.0 starting up
    Aug 30 06:35:36 	check_reload_status: Reloading filter
    
    
    Aug 30 10:34:03 	routed[62502]: static route 10.13.40.166/32 --> 10.13.40.166 impossibly lacks ifp
    Aug 30 10:34:03 	routed[62502]: static route 92.96.246.49/32 --> 92.96.246.49 impossibly lacks ifp
    Aug 30 10:34:05 	routed[62502]: receiving our own change messages
    Aug 30 10:34:42 	routed[62502]: write(rt_sock) RTM_ADD 10.13.40.166/32 -->127.0.0.1 metric=0 flags=0: File exists
    Aug 30 10:39:02 	routed[62502]: static route 10.13.40.166/32 --> 10.13.40.166 impossibly lacks ifp
    Aug 30 10:49:01 	routed[62502]: 0.0.0.0 (mask 0x68000000) --> 195.229.252.27 disappeared from kernel
    


  • the gateway monitor showing pending, i sorted this out, actually the migration from 2.0.1 to 2.1 has some issue with the config so i went to routing and deleted the routes and readded them and set a monitoring ip and now gateway monitors fine, some error i saw in system log were as below

    Aug 30 10:52:03 	php: : The gateway: ExpressVPN is invalid or unknown, not using it.
    Aug 30 10:52:03 	php: : The gateway: ExpressVPN is invalid or unknown, not using it.
    Aug 30 10:52:09 	php: : The gateway: ExpressVPN is invalid or unknown, not using it.
    Aug 30 10:52:09 	php: : The gateway: ExpressVPN is invalid or unknown, not using it.
    


  • this bug still exists in the latest nanobsd
    http://forum.pfsense.org/index.php/topic,52980.0.html


Locked