[OPLINTECH] Pfsense 2.7

[Chad Neeper]

I've been using pfSense for a good long time myself... probably going on 20
years or so now, back when Netgate was Electric Sheep Fencing. I find it to
be an absolutely perfect and scalable firewall for the libraries I work
with. There have been some big sets of changes before, including upgrading
the FreeBSD base. I've generally always looked forward to the updates and
rarely have significant issues. Just follow sensible upgrade procedures,
including reviewing any specific guidance offered by Netgate. Make your
config backups, of course, for both your primary and secondary firewalls
(assuming your CARP). I generally upgrade my secondary firewalls first,
review the configuration and interface for interesting changes, then fail
over to the secondary to ensure that everything is working as expected.
Assuming all is fine on the secondary, I'll upgrade the primary and review
its config. Then fail back to the primary, continuing to watch for issues.
After upgrading both, I usually make a second set of backups with the
upgraded pfSense, just so I have a baseline backup in the current (new)
pfSense version. I always have the Auto Config Backup enabled on both
primary and secondary firewalls, but I like to do the manual backups
old-school style too.

My own typical config for the libraries I work is probably a little unique.
I actually leverage linux host servers and run my pfSense boxes
virtualized. It's an old tactic I've been using very successfully since the
earliest days of virtualization. With some physical NICs in the servers
dedicated to firewall activity, it works quite well for me. It also gives
me the added advantage of being able to very simply make a complete and
full backup of the full virtual machine for both my primary and secondary
firewalls. So in the event of a major catastrophic upgrade failure, I can
very easily just revert to the backup I (likely) made just before starting
the upgrade and then everything is 100% back to normal. Leveraging the
redundant firewalls, I can do everything (rebooting a firewall, backing up
virtual machines, restoring virtual machines, whatever) live without end
users ever noticing. (Redundancy is extremely useful!)

Honestly, I knew it has been under development, but I haven't really been
paying all that much attention to specifically what's going on with the
latest pfSense point release. I did skim the links you included to see if
there was anything that seemed particularly scary. You're right about some
major changes, but it's been done before. I'll take a little more care with
this particular upgrade and ensure that I have my appropriate safety nets
in place before I upgrade any of the firewalls, but I'm not overly
concerned (in my own particular upgrade scenarios.)

What *will* concern me a bit more is when I need to upgrade single
(non-CARP) firewall instances running on bare metal. I have a few libraries
like that out there. I generally save those for last and try to ensure I
have a safety net available if possible. I typically also upgrade a
firewall like that only on-site at the library. I've been bitten before by
a failed (semi-bricked) upgrade, where I wouldn't have been able to recover
had I been trying to upgrade remotely. Ever since then, I've been a little
more cautious with my choice of timing for the upgrade and my safety nets
at those libraries.

Overall, I'm looking forward to the release. I'll be especially happy if it
resolves a longstanding issue I've had with Captive Portal in 2.6.x!

Is there anything in particular that's concerning you with the 2.6 → 2.7
upgrade? Or is just intelligent due diligence and caution prompting
your post?

Chad

______________________________
*Chad Neeper*
Senior Systems Engineer

*Level 9 Networks*
740-548-8070 (voice)
866-214-6607 (fax)

*Full IT/Computer consulting services -- Specialized in public libraries*


On Mon, Jun 26, 2023 at 3:40 PM Ron Woods via OPLINTECH <
oplintech at lists.oplin.org> wrote:

> Hi,
>
> Are any other libraries out there using Pfsense? We have been using it
> here in STC for many years, it is a very solid extensible open source
> firewall system.
>
> The newest version 2.7 is getting ready to drop here in a few weeks.
>
> https://www.netgate.com/blog/pfsense-rc-2.7.0-and-23.05.1
> https://docs.netgate.com/pfsense/en/latest/releases/2-7-0.html
>
> It is a pretty big upgrade from previous versions. on the backend they
> have overhauled the entire FreeBSD base from version 12 to 14, and they
> also had to make quite a few compatibility changes moving from PP 7.4.x to
> 8.2.6. As I had been following the Redmine very closely over the last year.
>
> https://redmine.pfsense.org/versions/70
>
> If anyone else out there is using it, what are your upgrade plans come
> post June 29th? I have a set of identical hardware to my production box
> that I plan to convert my existing configuration to the new 2.7, and then i
> will create a backup box based on 2.6 with my current set up before i
> upgrade my production box. If anyone has any suggestions or things they are
> going to do, i'd appreciate it if you would post.
>
> Thanks!
>
> Sincerely
>
>
> Ron Woods
>
> Computer Services Manager
>
> St. Clairsville Public Library
>
> 740-695-2062 ext 619
> https://www.stclibrary.org
> _______________________________________________
> OPLINTECH mailing list
> OPLINTECH at lists.oplin.org
> https://lists.oplin.org/mailman/listinfo/oplintech
>
> ****** Send text messages to your library's patrons for FREE:
> https://oplin.ohio.gov/sms******
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.oplin.org/pipermail/oplintech/attachments/20230626/914a09ae/attachment.htm>