Successfully Upgraded from NanoBSD to Full Install - Lesson Learned
-
Thought I would share my experience from upgrading from NanoBSD to Full Install. Overall it went extremely well! After reading the https://doc.pfsense.org/index.php/Upgrade_Guide and realizing that NanoBSD will be phased out soon enough (no defined ETA, but just knowing it will be phased out on the roadmap was enough for me to bite the bullet and just buy a cheap SSD for use in my pfsense rather than the USB to SATA Compact Flash setup I had been using.)
I was using pfsense NanoBSD 4GB 2.3 until yesterday. Downloaded latest snapshot at the time (pfSense-CE-memstick-2.3.1-DEVELOPMENT-amd64-latest.img.gz) and got everything working. Wrote memstick to USB following https://doc.pfsense.org/index.php/Writing_Disk_Images and Win32 Disk Imager. No issues. Booted from USB (memstick) and installed to the SSD using the installer. No problem. Restored my config from nanobsd. No problem. Everything was working smoothly. Mind you my config is extremely simple. No extra packages from default install. Just a few DHCP static mappings, one firewall rule, some DNS entries… very basic stuff.
I woke up this morning to my Windows 10 64bit PC having the "no internet access" icon and me not being able to browse to any INTERNET sites (Intranet sites worked just fine.) Checked ipconfig, no default gateway listed. I thought that was odd. All was working yesterday. I still had the assigned IP addressed from my DHCP static mapping (services_dhcp.php) and subnet mask... but the default gateway on my client NIC was blank. Disabled/re-enabled NIC, nothing. Still no Internet connectivity (I could obviously still get to LAN services, ie: pfsense admin gui.) Tried rebooting both client PC and pfsense, did not help. Logged into a few VMs I had and those were working just fine. Very odd. At least I narrowed it down to my own PC, or so I thought.
For whatever reason, last night when I had first restored the config I noticed that the gateway monitoring was ENABLED. I had gateway monitoring ENABLED in my restored config but I had some custom parameters to increase the number of seconds between probes and the frequency of the probes (see below for the notes I had from when I set that up.) What I should have done from the very get go (since I do not have multiple gateways and there is no reason in my setup that I even need to use the gateway monitor) is disabled the gateway monitor. Stupidly, I disabled the gateway itself (system_gateways.php) instead of actually disabling the monitoring (system_gateways_edit.php?id=0.) Turns out that if you disable the gateway itself (I think default is GW_WAN) then some clients MAY not obtain the default gateway on the LAN interface appropriately. I say MAY because I had some clients (combination of different OSes) that still were able to get the default gateway even though GW_WAN was disabled. Very odd. Naturally, I realized my mistake and enabled the gateway and DISABLED the gateway monitoring, and after a quick ipconfig /release and ipconfig /renew my Windows 10 PC was able to obtain the default gateway and both Internet and Intranet functionality were restored.
Took me a few minutes to do a delta on my XML configs before and after upgrade to notice that the root cause was the disabling of the gateway on system_gateways.php. Ooops. :) Self inflicted. Lesson learned.
Old tweaks on apinger which caused me to disable the gateway as opposed to just disabling the gateway monitor:
My DHCP ISP gateway is ignoring/dropping the icmp probes used by pfSense to verify the gateway is up.
Mar 30 17:23:03 apinger: alarm canceled: GW_WAN(x.x.x.x) *** loss ***
Mar 30 17:22:18 apinger: alarm canceled: GW_WAN(x.x.x.x) *** delay ***
Mar 30 17:22:09 apinger: ALARM: GW_WAN(x.x.x.x) *** delay ***
Mar 30 17:21:35 apinger: ALARM: GW_WAN(x.x.x.x) *** loss ***Had to adjust these variables under system>>>routing>>>gateways>>>Edit next to your gateway under Advanced, I chose Probe Interval = 10 and Down = 120
The XML config setting that was different before and after upgrade which led me to the GW_WAN being disabled.
<gateways><gateway_item><interface>wan</interface>
<gateway>dynamic</gateway>
<name>GW_WAN</name>
<weight>1</weight>
<ipprotocol>inet</ipprotocol>
<interval>10000</interval><defaultgw><loss_interval>120000</loss_interval>
<alert_interval>10000</alert_interval>
<time_period>140001</time_period>
<disabled></disabled></defaultgw></gateway_item></gateways>My current hardware is now:
Intel Desktop Board D2500CC
http://www.intel.com/content/www/us/en/motherboards/desktop-motherboards/desktop-board-d2500cc.htmlIntel Atom D2500 CPU Specifications
http://ark.intel.com/products/59682/Intel-Atom-Processor-D2500-1M-Cache-1_86-GHzKingston SSDNow V300 Series 2.5" 120GB SATA III Internal Solid State Drive (SSD) SV300S37A/120G
SAMSUNG Original 2GB 204-Pin DDR3 1333 MHz SO-DIMM (PC3 10600) Laptop Memory Module Notebook RAM Model M471B5673EH1-CH9
APEX MI-008 Black Steel Mini-ITX Tower Computer Case 250W Power Supply Model# MI-008
-
Just to point people who read this to the sticky about Gateway monitoring https://forum.pfsense.org/index.php?topic=110043.0
Make sure to read that - anyone who has unusual advanced parameters set on their gateway monitoring in 2.2.*, the conversion code from apinger to dpinger parameters sometimes ends up with an invalid combination.This is fixed for 2.3.1. If you upgrade directly from 2.2.* to a 2.3.1 DEV build then the conversion will be done fine. Once 2.3.1 is released then this will be good for everyone.
-
Turns out that if you disable the gateway itself (I think default is GW_WAN) then some clients MAY not obtain the default gateway on the LAN interface appropriately. I say MAY because I had some clients (combination of different OSes) that still were able to get the default gateway even though GW_WAN was disabled. Very odd.
I would bet that all of your clients would have eventually lost their default gateway, depending on when ether DHCP leases expired…
:)
-
I would bet that all of your clients would have eventually lost their default gateway, depending on when ether DHCP leases expired…
You are absolutely correct. My DHCP leases are 48 hours so I probably had just not hit the renewal for the other clients :) Thanks!
Just to point people who read this to the sticky about Gateway monitoring https://forum.pfsense.org/index.php?topic=110043.0
Thanks for the info!