Pfsense 2.7.0 & PfBlocker Upgrade

pfsense (pf) 2.7.0 release notes suggest that all modules be upgraded before upgrading to 2.7.0, but when trying to upgrade the pfblocker module, it states that a php upgrade is needed so upgrade pf first.

Has anyone upgraded 2.7.0 with pfblocker? Should pfblocker be removed prior to upgrading to 2.7.0?

Actually, this is not correct. All packages should be uninstalled. Here are their notes:

Due to major changes in PHP and base OS versions, there is a higher than usual chance that packages will interfere with the upgrade process.

To give an upgrade the best possible chance of going smoothly, uninstall all packages before starting the upgrade.

1 Like

Yeap, I see that. Thank you.

That is a lot of pfblocker reconfiguration. Is there a way to save and restore pfblocker configuration?

For those that are unaware as I was, uninstalling pfblockerng doesn’t remove the configuration information. I successfully removed pfblockerng on several pfsense 2.6.0, updated pfsense to 2.7.0, and reinstalled pfblockerng. All the settings, maxmind key, geoIP, etc were restored. Hope this helps.

I upgraded from 2.6.0 to 2.7.0 without removing any packages. Now I am sporadically getting filter reload errors:

  • There were error(s) loading the rules: /tmp/rules.debug:29: cannot define table bogonsv6: Cannot allocate memory - The line in question reads [29]: table persist file “/etc/bogonsv6”

I have increased state table sizes and still get the errors. I had never seen these errors in 2.6.0.

Anyone have recommendations to recover from this?

I think I have figured it out. On my 2.7.0 system, the value of kern.maxdsiz is set to 1_073_741_824, but on my 2.6.0 system it is blank and defaults to 34_359_738_368. Underscores added for clarity. I got my 3.7.0 system to work by setting it to 30_000_000_000 and increasing maximum firewall states. I did not confirm what the max states were before updating kernel config. I will be able to verify this when I upgrade my 3.6.0 system to 3.7.x.