Update to 2.1.5 or not?
-
This bother me that I must pose this question, as I have never even thought of questioning any update to pfsense.
There are many threads about various issues moving to 2.1.5, not excluding a plethora of 'no internet' - 'no DNS' ect… posts.
I'm running several of these boxes, as I have come to trust in pfsense, and even had at one time, a group lets just say, do everything they can to infiltrate the system and network onward. I'll leave that where it stands and say again that I trust pfsense in a production environment.
I simply cannot take the chance of losing connections through two of these devices, it would surely cause myself and others more grief than I might sustain as their host.
Sure, I have various system config backups, but this has gotten rather complex over the time in the datacenters with adding IP blocks of VLANS, cross connects ect. So theoretically I could have the system back up within the hour.
Though, If I have learned anything over the years, it might be that rarely 'things' go as expected, when you count on them to go in one direction.
For instance one box feeds a remote server which feeds a VPN, then to an iPhone app, which handles CCTV feeds, (various receivers of the feeds) then uses a customized 'slingbox' type script to display said feeds to remote security. This is a high end living complex where video monitoring is constantly necessary.
Another box stands guard in front of a large image/video rendering firm where worldwide clients are accessing / reviewing and using collaborative software to edit images live, before being sent to the render farm and back to display. Which is a highly time sensitive industry.
Various other pfsense machines are setup from simple home networks, to local businesses where 24 hour throughput is not only expected but assumed.
Thoughts?
-
What version(s) are you pfsense boxes running now - are they all on a specific release, say 2.1.3 or is a hodgepodge of different versions? Are they all 32 or 64 or a mix? I would assume its all different hardware as well?
Could you point out some of these threads where users were having issues with updates to this version - to be honest, quite often these problems come from PEBKAC..
-
https://forum.pfsense.org/index.php?topic=81086.msg451168#msg451168
The only way I could get this to work was to turn dns forwarder off. Since I didn't touch any of the dns forwarder settings in the first place (this is a very simple setup with no DHCP for the WAN so static IP Setup) Id have to blame the setup wizard for any problems with config.
Like I said- it worked for probably just over 20 minutes and then quit spitting out queries to the clients with no one doing anything to the router at the time.
YMMV I have 5 other boxes with only one of them that seems to hicup on queries a couple times an hour. I was blaming the ISP for this site but this new box exhibited similar behavior before it totally quit.
This box is the only one I didn't upgrade from another version.
-
I had no problems from 2.1.4 to 2.1.5 (X64), but then again: my setups (two boxes, LAN + VLAN's, VPN, failover on VDSL and cable, traffic shaping, Radius, Snort, SOHO-setup) probably isn't even remotely close to the complex setup you probably have. Wouldn't a test-environment make sense?
-
to be honest, quite often these problems come from PEBKAC
You have an instance working perfectly, and after upgrade things that worked don't work any more. How is that PEBKAC??
In my case, I avoided upgrading due to the problems others were having until this past weekend. After the upgrade, SquidGuard wouldn't start anymore but I didn't immediately notice. Since it was end of day, I did a few quick connectivity tests (Web out for users, web in to our website, voip) and then went home for the weekend. By the time I arrived home, I had 155 emails from Service Watchdog about SquidGuard. I bounced the box and when it came back up, SquidGuard was fine much to my delight.
-
Look at the thread he linked too - sorry but a dns server that does not answer recursive queries has nothing to do with pfsense. And while you might have masked or not noticed the issue in previous version. Then trying to blame it on the upgrade is crazy. For every 1 person with an issue there is prob 100 that have not had any issues.
Now if there was an issue with the nano version and /etc/resolv.conf that is another thing. Which is why I asked what flavor, what hardware, etc. etc.
Moving to a new version is going to always have risk, which is why you always have rollback plans. Any company that rolls out an update can not be sure that its going to work on every single instance of deployment. Even if it worked in the lab. Hardware, different version, different environments. There should always be a rollback option.
To be honest the vast majority of problems I see here - and I like to keep an eye on all thread, many of them is just lack of understanding at even a basic level that has nothing to do pfsense at all.
My point is that many of the threads that come up when a new version comes out is not bugs in the software itself but just lack of user understanding or crazy ass deployments in the first place.. Not saying there are not bugs or that you might not have issues. But they like to try and blame the new version vs the actual root of the problem
Its not on the pfsense dime that they be expected to vet every possible combination - if you have such large deployment you should have test/labs that you can validate the update before you roll it out to production. Even then you should always have a rollback plan.
-
Look at the thread he linked too - sorry but a dns server that does not answer recursive queries has nothing to do with pfsense.
Refering to my link?
DNS Forwarder is part of the pfSense install. DNS Forwarder is not answering queries from clients on the LAN. This is a fresh install with no packages and no changes outside the setup wizard. And it does seem that a number of people are having connectivity issues after upgrading their boxes.
Not sure how thats nothing to do with pfSense.
I think what Im seeing so far is that a couple of us have the " Allow DNS server list to be overridden by DHCP/PPP on WAN" box unchecked. In my case the WAN of this particular machine does not get its address via DHCP and has to be set static. When I get home I may try and play with this setting on my other 5 installs and see if I can break any of them.
https://forum.pfsense.org/index.php?topic=82479.0
https://forum.pfsense.org/index.php?topic=81086.0