Upgrade 2.1.5 to 2.2 workaround



  • Hey,

    So thought I'd share my upgrade story. It works… I'm on 2.2 now, no issues.

    My pfsense system is pretty straightforward. 2.1.5, numerous port forwards, fw/schedules rules. It does have two different internal NICS, but otherwise is a "pure" appliance -- it just does firewall/routing functions. My phone/asterisk, vpn/strongswan, proxy, web, mail server, etc, are all on different dedicated virtual hosts.

    My pfsense system is one of several systems running on a virtual vm. It's running KVM in a proxmox 3.3 server, running on an AMD fx8350 with a quad port Intel NIC.

    I've been watching the 2.2 RCs for a while now, and all the recent ones I tried would not run on my system. Upgrading would appear to work, but upon reboot would not pass any traffic except ICMP. This also happened w/ the final 2.2 build. I set fw rules to log, but nothing was being logged as blocked by the FW. Adapters were correct, gw, subnet, mac addr, etc. Everything looked perfect. It just wouldn't pass traffic except ICMP.

    I tried the normal stuff -- changed e1000 for paravirtualized (freebsd is recommended to run e1000 on kvm), disabled the offloaded tcp checksum, no difference.

    So I tried a fresh install, using basic settings, and it worked great. My hw config did support pfsense 2.2 with default settings.

    For fun, I tried to load my 2.1.5 config into fresh 2.2. After that, it wouldn't even boot -- stuck at the initial boot loader.

    Next, I reverted to 2.1.5, upgraded to 2.2, then exported the config. Then, reverted to fresh 2.2, tried to load the upgraded 2.2 config, and it again would not boot.

    I did do a quick scan of the config between 2.1.5 and upgraded bootable 2.2, and didn't see anything obviously wrong. But still would only pass ICMP.

    Sooo... I reverted to fresh 2.2, then started loading all the parts of the upgraded 2.2 config, one at at time, using the dropdown menu for 'restore area'. I didn't even notice that menu option before. But it turned out to be a life saver.

    Using the broken 2.2 upgraded config, I restored aliases, dhcp server, firewall rules, interfaces, nat, rrd data, and static routes. Rebooted, and it worked great. I was mostly back to where I was in 2.1.5. I did have to manually create my fw schedules, but otherwise, it works great. I also was able to export the now working 2.2 config, and load it into a fresh 2.2 system w/o any difficulties.

    It would seem that some aspect of the upgrade is broken. But if you can at least get the web interface up and dump the config, you can then load specific pieces of the upgraded config into a clean 2.2 system. It's far from perfect, but it works pretty well.

    On the good side -- CPU utilization is improved for the kvm instance -- cpu utilization would be at 50% for the vm, but pfsense only reported approx 10ish%. Now, they seem to be much more aligned -- 10% in vm guest is 10-15% on host.

    For those of you using kvm, you still have to use the hw.mca.enabled="0" trick to boot. Otherwise, it seems to be running more smoothly, at least over the last few hours. Excellent product!

    Thanks,
    Jon



  • @beyondcrazy:

    Sooo… I reverted to fresh 2.2, then started loading all the parts of the upgraded 2.2 config, one at at time, using the dropdown menu for 'restore area'. I didn't even notice that menu option before. But it turned out to be a life saver.

    IMHO, this is the best way to upgrade if possible to sysadmin.

    @beyondcrazy:

    Using the broken 2.2 upgraded config, I restored aliases, dhcp server, firewall rules, interfaces, nat, rrd data, and static routes. Rebooted, and it worked great. I was mostly back to where I was in 2.1.5. I did have to manually create my fw schedules, but otherwise, it works great. I also was able to export the now working 2.2 config, and load it into a fresh 2.2 system w/o any difficulties.

    It would seem that some aspect of the upgrade is broken. But if you can at least get the web interface up and dump the config, you can then load specific pieces of the upgraded config into a clean 2.2 system. It's far from perfect, but it works pretty well.

    On the good side – CPU utilization is improved for the kvm instance -- cpu utilization would be at 50% for the vm, but pfsense only reported approx 10ish%. Now, they seem to be much more aligned -- 10% in vm guest is 10-15% on host.

    For those of you using kvm, you still have to use the hw.mca.enabled="0" trick to boot. Otherwise, it seems to be running more smoothly, at least over the last few hours. Excellent product!

    Can you create a diff between upgraded config to configured 2.2 config?
    This could help core to to find bugs on config migration tool.



  • I had some issues of my own. I use pfsense as an appliance and only had 3 packages added; unbound, openvpn export utility and iperf.  After doing the upgrade unbound service wouldn't start.  I could ping IPs on the internet and once I changed my desktop to resolve IPs from Google's DNS versus my router everything worked fine.  But I wanted unbound.  Eventually I decided to do a fresh install of pfsense and then upload the config file backup I took just before the upgrade.  Then it all worked fine.  I was using the 32-bit version of pfsense, but when I decided to do a fresh install I went with the 64-bit ISO.

    So I think something may not be 100% with the upgrade process.  What exactly I can't really tell.  But a fresh install followed by uploading the config file solved the problem. /shrug

    I just wish pfsense was using ZFS kind of like what FreeNAS does.  FreeNAS upgrades by taking a snapshot of the boot device, cloning it, then upgrading the clone and rebooting the box to the clone.  If things go badly with the upgrade then you simply roll back to the snapshot.  Instant recovery from a failed update.  ZFS also gives you the advantage of identifying a failing/failed boot device (which has been really handy for a lot more people than I would have expected).



  • @Joshy:

    I just wish pfsense was using ZFS kind of like what FreeNAS does.

    FreeNAS only introduced the feature recently ( 1 month ), and its still buggy … for example, once you replace a failed mirror with another drive, the "boot" code some times does not get written ( still no fix yet ), so you get boot code on one mirror drive but not the other. Plus ... ZFS requires lots of memory to be used, and because FreeNAS boxes should all have 8GB+ ram they are a prime candidate for that feature. Most people only have very limited ram in pfsense, so that means heavy tuning would have to be done in order to accommodate ZFS with pfsense.

    Do i think it would be a great feature ? hell yes. It would be like those routers that have a backup image, but better... however, ALOT of development would have to go into it, i would rather have pfsense team focus on the networking aspect on pfsense versus the ZFS features.



  • @marcelloc:

    @beyondcrazy:

    Sooo… I reverted to fresh 2.2, then started loading all the parts of the upgraded 2.2 config, one at at time, using the dropdown menu for 'restore area'. I didn't even notice that menu option before. But it turned out to be a life saver.

    IMHO, this is the best way to upgrade if possible to sysadmin.

    I completely agree.

    @marcelloc:

    @beyondcrazy:

    Using the broken 2.2 upgraded config, I restored aliases, dhcp server, firewall rules, interfaces, nat, rrd data, and static routes. Rebooted, and it worked great. I was mostly back to where I was in 2.1.5. I did have to manually create my fw schedules, but otherwise, it works great. I also was able to export the now working 2.2 config, and load it into a fresh 2.2 system w/o any difficulties.

    It would seem that some aspect of the upgrade is broken. But if you can at least get the web interface up and dump the config, you can then load specific pieces of the upgraded config into a clean 2.2 system. It's far from perfect, but it works pretty well.

    On the good side – CPU utilization is improved for the kvm instance -- cpu utilization would be at 50% for the vm, but pfsense only reported approx 10ish%. Now, they seem to be much more aligned -- 10% in vm guest is 10-15% on host.

    For those of you using kvm, you still have to use the hw.mca.enabled="0" trick to boot. Otherwise, it seems to be running more smoothly, at least over the last few hours. Excellent product!

    Can you create a diff between upgraded config to configured 2.2 config?
    This could help core to to find bugs on config migration tool.

    I could, but almost every line is going to get flagged. While the data itself might be similar, the order of the config lines varies quite a bit between the two files.

    I'm happy to provide anonymous version of both files if it will help.

    Jon


Log in to reply