Hello, I have a fairly new Pfsense installtion in another country and wondering what precautions must I take to ensure updating PfSense from 22.05 to the 23.01? I have no one on the other end with any networking experience, simply users so I’m a bit apprenhensive even attmepting this update with only remote access. Thanks
Official netgate hardware or a custom box?
LOL that’s just asking for trouble ! If you don’t have an option to access the router when it’s offline I wouldn’t even attempt it.
As above, I would not attempt it
Version 22.05 is still supported currently
It is an official Pfsense piece of equipment, 2100. But ill take your advice and not update , just was concerned it may be vulnerable leaving on the earlier version. Thank you.
See that’s the thing it “is” vulnerable, but your company has to weigh up the benefit of an onsite update or borking it with the prolonged downtime ! Simple cost-benefit analysis or risk management analysis.
If you want to upgrade, why not purchase a new 2100 and upload the config file from existing 2100 after installing 23.01
This way , you will have a spare - just in case
That is actually not a bad idea, I’ll suggest that to Mgmt. Thanks
Actually going back to my documentation its actually a 6100 but same deal.
Normally, upgrading over VPN is not an issue and I do this regularly with about 20 units at different locations. However, this particular version has a few issues that may force you to not upgrade via remote.
#1 - the 2100 series may or may not even let you upgrade, depending on the size of your boot partition. It’s recommended to backup your config and then run a complete USB recovery, choosing ZFS as the file system. See this Netgate forum post
#2 - the 3100 will have a kernel panic on reboot and prevent the OpenVPN service from starting. You’ll need to ssh into it or use the GUI to enter
kldxref /boot/kernel into the command line and then it will let you start the OpenVPN service
Other systems I’ve upgraded via VPN (4100 and 6100) have gone flawlessly.
Thank you, we do have the 6100 at that site but I’m going to hold off, our Mgmt person does go there quite often so maybe I can create a rescue USB for them.