Upgrading pfSense - having the old version (just in case)

I am about to upgrade my 2.4.4-p3 installs to 2.4.5-p1. Like a good IT pro I read the docs - ‘Installing and Upgrading’ sections. There I see I should have the old version installation just in case the update fails miserably. However, I haven’t got it and I can’t download it. So, what do do?

(TLDR) the docs say, preinstallation tasks #1 and #2 should be done before attempting an upgrade:

  1. Take a configuration a backup
  2. Have a fall-back plan - if the worst happens
  3. Do the upgrade, with note taken of old to new version specifics

I have no problem with #1 and #3. However, #2 is not so simple (or I misread it).

From the pfSense docs:
Downgrading a full installation to previous releases directly in-place is not supported. Very rarely is it desirable or necessary to go back to a prior release. Should that be necessary, the previous version must be reinstalled and a configuration backup from that version must be restored. Configurations from newer versions cannot be restored to older versions.

I don’t have the 2.4.4-p3 installation media still, and now I find I can’t download it. I have searched the Netgate forums - I found a post from the forum admins when someone else asked how to get old versions, saying they remove the old version downloads when a new one is released (as they don’t want to allow access to a version with known vulnerabilities).

I agree its a bad idea to install any version other than the current release for a new firewall build - but what should I do about having a fall-back plan, should the worst happen to the CE installation I use at home? I can put in an SG1100 I guess, but not too happy with losing the extras I get from the CE install to a PC with the crypto CPU extensions.

I have requested the old install USB image for my two Netgate SG1100 appliances (and received it, thanks to Netgate support responding on a Sunday). What about the community edition installation?

Maybe the gods are telling me to out try Untangle?

If anyone has the AMD64 2.4.4-p3 CE USB install media (serial or VGA), PM me a (https://send.firefox.com?) download link?

The XML file from the 2.4 version will work with the 2.5 version. So you only really need the latest image file in case the upgrade does not work.

1 Like

In the future, if you want to automatically download the pfSense images, set up a cron on a NAS or other *nix machine.

  1. Create a bash script (pfsense.sh)


wget -r -l0 -np -N “https://nyifiles.pfsense.org/mirror/downloads/” -P /{local path} -A “pfSense-CE-*.gz” -X “old”

  1. Add execute permission to bash script (pfsense.sh)

chmod a+x pfsense.sh

  1. Manually run bash script (pfsense.sh)

bash pfsense.sh

  1. Write over robots file

echo “” > /{local path}/nyifiles.pfsense.org/robots.txt.tmp

  1. Change robots file write permission

chmod a-w /{local path}/nyifiles.pfsense.org/robots.txt.tmp

  1. Add bash script to cron (crontab -e)

# m h dom mon dow command
0 4 * * * . /{local path}/pfsense.sh > /dev/null 2>&1

1 Like

Yep that’s how it works, caught me out the first time ! Kinda dodgy to install anything that isn’t from Netgate on your firewall, guess like everyone else that folder now has all the ISOs !


Thanks for the idea. I like it. I prepared a script as you suggested, but somehow I can’t get it to work. Cut-n-paste is a bad idea as the ’ and " characters have been changed to left and right quotes and double quotes.

I can see how it is supposed to work:

wget will retrieve files, with amazing flexibility - the command options you suggested make sense.
-r recurse
-l0 zero levels
-np non-parent
-N ? Does not seem to be a valid option
-P local path prefix
-A add files that match, so all the pfSense-CE files
-X exclude the old directory, which we are not alloed in (I wish)

However, when I do run it, I don’t get any .gz files at all. I get some folders and a robots-follow.txt file. Its weird. I have read the man pages as closely as I can manage (well, its very long indeed).

The suggested “chmod a-w” fails - Operation not permitted. ??? The robot.txt.tmp file permissions are “-rwxr-x—+ 1 root”- so I take that to mean owner (root) as read and write permission. As I run the command as root I do not expect to be told I can’t remove w from all. Weird.

wget returns this log:

–2020-06-30 17:48:52-- https://nyifiles.pfsense.org/mirror/downloads
Resolving nyifiles.pfsense.org (nyifiles.pfsense.org)…,, 2607:ee80:10::119:40, …
Connecting to nyifiles.pfsense.org (nyifiles.pfsense.org)||:443… connected.
HTTP request sent, awaiting response… 301 Moved Permanently
Location: https://nyifiles.pfsense.org/mirror/downloads/ [following]
–2020-06-30 17:48:53-- https://nyifiles.pfsense.org/mirror/downloads/
Reusing existing connection to nyifiles.pfsense.org:443.
HTTP request sent, awaiting response… 200 OK
Length: unspecified [text/html]
Saving to: ‘./pfsense-images/nyifiles.pfsense.org/mirror/downloads.tmp’

 0K ..                                                      479M=0s

2020-06-30 17:48:53 (479 MB/s) - ‘./pfsense-images/nyifiles.pfsense.org/mirror/downloads.tmp’ saved [2809]

Loading robots.txt; please ignore errors.
–2020-06-30 17:48:53-- https://nyifiles.pfsense.org/robots.txt
Reusing existing connection to nyifiles.pfsense.org:443.
HTTP request sent, awaiting response… 200 OK
Length: 27 [text/plain]
Saving to: ‘./pfsense-images/nyifiles.pfsense.org/robots.txt.tmp’

 0K                                                       100% 8.69M=0s

2020-06-30 17:48:53 (8.69 MB/s) - ‘./pfsense-images/nyifiles.pfsense.org/robots.txt.tmp’ saved [27/27]

Removing ./pfsense-images/nyifiles.pfsense.org/mirror/downloads.tmp since it should be rejected.

FINISHED --2020-06-30 17:48:53–
Total wall clock time: 0.5s
Downloaded: 2 files, 2.8K in 0s (316 MB/s)

I note that the URL is being redirected - to itself. Weird.

So from all of this I think wget is more sophisticated that I understand. Is it honouring the robots.txt, and not following to the mirror/downloads files??

Interesting way to keep up with old images, if I can get it to work. :wink:

It works for me on my QNAP QTS NAS units. Also worked for me on a Ubuntu VM

-N is a valid option. It enables checking the time stamps of the files to eliminate unnecessarily downloading again


What permissions are you running the script as (sudo, root, user?). Run the script as a user, not root.

Did you blank out the robots.txt.tmp and change the permissions to prevent wget from writing over the robots.txt.tmp? If you don’t the web site will prevent you from downloading the images.

You can also add the -d and/or -v option to more verbose diagnostic output.

Planning to upgrade to the 2.4.5-p1 update also. I see Netgate recommends removing packages before upgrading and reinstalling but they also say you can upgrade inplace then update packages after. If I remove packages, can I backup the packages config first? Thoughts? Hope this is relevant to this discussion. :wink:

My approach has been to keep all downloaded ISOs, frequent full config backups when I start to tinker, when I upgrade, I update the packages after the pfsense update. Seems to have worked ok so far. I have Proxmox so I could also test an update on that but I’m lazy.
Whatever you do best to ensure you can still get back to your current state, so you only need your ISO and config.

I’ve never removed packages before upgrading, but I am only running pfBlockerNG, cron, nut, and suricata. I just let the upgrade automatically upgrade my packages afterwards.

Perfect. That’s what I’m going to do. Probably overthinking it. Thanks!