Mountroot issues after 2.2 upgrade



  • @edmund:

    I upgraded two systems today, both via the autoupgrade.  One is a little nanoBSD box at home and the other is the main firewall at work - running on a Dell.  Both upgrades were flawless with no problems - both boxes support a pair of WAN interfaces with LAN, Wi-Fi, SIP, and a VPN and custom rules.

    I read through the upgrade notes before performing the upgrades - and uninstalled all packages prior to running the autoupgrade and made backups of the configurations.  Uninstalling the packages is something that I have not done in the past and it definitely made the whole process much quicker than past upgrades.

    so uninstall the package first and then use autoupgrade and import the package backup config after?



  • Thats what I did with the VMs running on GB connection with lots of packages.



  • @kejianshi:

    Thats what I did with the VMs running on GB connection with lots of packages.

    how did you backup the package? or just import the anything after autoupgraded?



  • @kejianshi:

    4 servers updated so far and all switched to unbound - 0 problems so far.  2 in ESXi and 2 physical.

    Upgraded with no issues as well. Is the switch to unbound automatic?

    Cheers!



  • What are you using for web filtering, squidguard not able to install



  • Nope - I sort of wish it was.  Its no big deal to switch though.  1 minute?  Maybe 2?



  • @kejianshi:

    Nope - I sort of wish it was.  Its no big deal to switch though.  1 minute?  Maybe 2?

    Sorry for the newbie question but could you please explain the steps? Thanks!



  • 1.  update to pfsense 2.2
    2.  go to services > DNS forwarder - un-check " Enable DNS forwarder" then save
    3.  go to services > DNS Resolver - check "enable dns resolver" then save

    I also enabled DNSSEC,  Register DHCP leases in the DNS Resolver,  Register DHCP static mappings in the DNS Resolver (all optional)

    and in the advanced settings TAB I enabled Prefetch Support, Prefetch DNS Key Support  (these should make DNS abit zippier) (also optional)

    I considering enabling Harden Glue and Harden DNSSEC data but I'm no sure.  Maybe someone else will chime in.  The POSSIBLE issue I see is that once I turn those on any site on the web that hasn't configured DNS 100% perfectly might just disappear and become unavailable to me even though they aren't spoofing or being spoofed?  Not sure how this will impact my network if I turn them on basically.

    Also, I went to system > general setup and deleted all my DNS server IPs from that list. (seems optional)

    Then I un-checked "Allow DNS server list to be overridden by DHCP/PPP on WAN" (seems optional)

    and I checked "Do not use the DNS Forwarder as a DNS server for the firewall" (seems required)

    And clicked save - always click save when you change things.

    These changes should take you off the ISP DNS, any public DNS servers and put you on the Internets main root DNS servers with DNSSEC.

    At this point, the only issue (not really an issue) is that large well organized very good ISPs may cache alot of content and may also direct you to the very nearest content servers if you are using their DNS, which you will not be.  I'm not too sure how big a performance hit you may take, if any.  Maybe someone else can chime in on that subject?

    I haven't noticed anything bad myself.  I have noticed less issues on the physical LAN with windows machines.  They seem to be resolving much faster and more reliably now.

    Here in my location, I'm VPNing in and using pfsense DNS over the tunnel and its resolving both IPv4 and IPV6 just fine.

    Hope that helps.



  • If pictures help, this is my home config, just set your interfaces and turn off Forwarder and Turn on Resolver. :)

    Edited to include: Wpad.dat, and the Advanced options is specific to my setup.






  • Last question (For now LOL), what is/are the advantages/disadvantages of unbound vs the current DNS Forwarder.
    Thanks!



  • Its just generally better, more robust and feature rich. (also more secure)

    Unbound is a validating, recursive and caching DNS server.

    Dnsmasq is a lightweight, easy to configure DNS forwarder.

    So, one is a DNS server and the other in merely a forwarder for other DNS servers.



  • I am only running a home network should I still make the change in your opinion?

    Cheers!



  • I like it better so far.  Its up you you.

    Be safe.  Back up your current config then give it a try.  If you don't like it, restore your old config.



  • @cheuk3:

    how did you backup the package? or just import the anything after autoupgraded?

    No need to backup the package. All packages that does not have explicit option to remove config options will be there after package reinstall.



  • Waited for the wife to go out shopping and completed the task as per kejianshi instructions. I have noticed a snappier response and I am quite happy with the performance.The only step I didn't follow was to delete the DNS servers from the general setup.

    One other bonus that I wasn't expecting is that I no longer have DNS leaks connecting as a VPN client  ;D

    Thanks kejianshi and all others who responded.

    Cheers!



  • @marcelloc:

    @cheuk3:

    how did you backup the package? or just import the anything after autoupgraded?

    No need to backup the package. All packages that does not have explicit option to remove config options will be there after package reinstall.

    so the procedure is

    1. make a backup config
    2. uninstall all package
    3. run auto upgrade
    4. import the backup config

    right? thanks :D



    1. reinstall and test each package.


  • @marcelloc:

    1. reinstall and test each package.

    all package need to be config again?



  • @cheuk3:

    all package need to be config again?

    No. Only those that needs this wipe on upgrades(like snort).



  • @marcelloc:

    @cheuk3:

    all package need to be config again?

    No. Only those that needs this wipe on upgrades(like snort).

    the package config file will remain in the upgraded system?



  • @cheuk3:

    the package config file will remain in the upgraded system?

    Yes. It's on xml config file, not on package dirs.



  • @marcelloc:

    @cheuk3:

    the package config file will remain in the upgraded system?

    Yes.

    cool thanks:D



  • i had to do a fresh install as well. no big deal.



  • Same issue here, full upgrade running pfsense 2.15 AMD 64. The auto upgrade made the system dysfunctional.

    Basically the way to perfectly upgrade the system is to make a full config backup. Fresh install and restore the config.

    It was no biggie for me as I needed to replace the HD anyway. But half a day was gone in getting it running again.

    Note: After restoring the config, need to clear the packages lock and reinstall packages.



  • @marcelloc:

    @cheuk3:

    the package config file will remain in the upgraded system?

    Yes. It's on xml config file, not on package dirs.

    Very unusual, most people would expect that if you delete a package, the related config would be deleted too. Everywhere in the world it works like this, otherwise how can somebody start with a package from scratch?

    Nevertheless, I admit that this is useful now.



  • how did you backup the package? or just import the anything after autoupgraded?

    Before you start the upgrade you just delete any packages that you have installed from the main Package menu - pfSense seems to remember the package settings that you used and after the upgrade you just re-install the packages again.  You'll want to visit the configuration menu for each package after the upgrade just to check but I've always found that all of the settings are preserved.

    It's smart to always make a backup of the configuration locally - you can always dig through the XML if there are problems and figure out what most of the package settings were if something does go wrong.



  • @robi:

    @marcelloc:

    @cheuk3:

    the package config file will remain in the upgraded system?

    Yes. It's on xml config file, not on package dirs.

    Very unusual, most people would expect that if you delete a package, the related config would be deleted too. Everywhere in the world it works like this, otherwise how can somebody start with a package from scratch?

    Nevertheless, I admit that this is useful now.

    Yes, "it depends". Sometimes it is really handy that you can uninstall a package, then install again, and the settings are preserved. Other times it is some crap combination of settings that is the problem and actually you want to remove all settings also and start from scratch.
    It would be handy to have an option on both deinstall and install to select "get rid of any settings for this package".



  • @phil.davis:

    It would be handy to have an option on both deinstall and install to select "get rid of any settings for this package".

    Some package does have,  but the idea of a cleaner package is good.



  • @marcelloc:

    @phil.davis:

    It would be handy to have an option on both deinstall and install to select "get rid of any settings for this package".

    Some package does have,  but the idea of a cleaner package is good.

    +1 here! Somewere around the backup/restore area, where you can select which parts of the config to manipulate.
    Btw: not all parts of the config are selectable from the dropdown, this should be completed too.


  • Moderator

    Each package should have an option in its "General" settings Tab to enable/disable "keep settings". This option is available in Snort/Suricata and also in pfBlockerNG.

    Each package de-install function should have code to fully remove all files that it adds to the system and any settings stored in the config.

    Having it as a global option would be a nice option but the first step would be to create a universal format that each package should follow. Maybe the addition of a new XML tag in each packages xml file?



  • The easiest way would probably be to just implement a message box on the package manager tab, where when somebody wants to delete a package it could ask "Are you sure you want to delete the package?", if answered Yes it would ask "Do you want to delete configuration too?" and if answered Yes it would delete the package and the config, if answered No it would just delete the files and keep the config.


  • Moderator

    @robi:

    The easiest way would probably be to just implement a message box on the package manager tab,

    The problem is that the Package Manager does not know what files and/or config changes were made by the package… Those particulars are handled by each package specifically. Having the option to select "Complete De-install" or "Keep Settings" in the package manager is a great idea, but it would need some integration with the packages.

    So for example... Snort.xml has the following tags for Install/Deinstall

    <custom_php_install_command>include_once("/usr/local/pkg/snort/snort_post_install.php");
                    ]]></custom_php_install_command>
            <custom_php_deinstall_command>snort_deinstall();
                    ]]></custom_php_deinstall_command>

    The file snort.inc has the functions for Install/De-install

    [ [color=blue]function snort_deinstall() ]

    If the keep setting is not enabled in the package it will remove the custom settings in the config and also remove the modified files/downloaded files.

    /* Keep this as a last step */
            if ($config['installedpackages']['snortglobal']['forcekeepsettings'] != 'on')
    –--------------------------------------------------------------------------------------

    So I think it would be best to introduce a new tag say "Custom _php_keep_deinstall"

    <custom_php_install_command></custom_php_install_command>
    <custom_php_deinstall_command></custom_php_deinstall_command>
    <custom_php_keep_deinstall_command></custom_php_keep_deinstall_command>

    Then each package could have a function that will handle "keep settings" on De-Install. Its also worth noting, that even on a Re-Install. The de-install function is called first.


Log in to reply