[OPLINTECH] Pfsense 2.7

[Ron Woods]

Great insights Chad. thank you! Sounds like we have both been using Pfsense for awhile. I remember too when they were Electric Sheep Fencing. I don't have any major concerns this time around as Netgate has been really good with testing and bug fixing, especially on this release, they even purposely waited to bring 2.7 into RC until after BSDCan so they could clear a last few little details.

I, like you, will have a backup of the previous before upgrading my main, and then once i know the main is all working and everything is good, I will upgrade my backup and keep it in case of any failures. 

I am also looking forward to the release as well.

In the release notes, it has quite a few fixes to Captive Portal. Hopefully these will be of use to your setups

https://docs.netgate.com/pfsense/en/latest/releases/2-7-0.html

Regards

Ron Woods
Computer Services Manager
St. Clairsville Public Library
740-695-2062 ext 619

https://www.stclibrary.org

----------------------------------------

From: "Chad Neeper via OPLINTECH" <oplintech at lists.oplin.org>
Sent: 6/26/23 4:36 PM
To: OPLINTECH <oplintech at lists.oplin.org>
Subject: Re: [OPLINTECH] Pfsense 2.7

CAUTION: This email originated from outside of this organization. Do not click on links or open attachments unless you recognize the sender and know the content is safe.

I've been using pfSense for a good long time myself... probably going on 20 years or so now, back when Netgate was Electric Sheep Fencing. I find it to be an absolutely perfect and scalable firewall for the libraries I work with. There have been some big sets of changes before, including upgrading the FreeBSD base. I've generally always looked forward to the updates and rarely have significant issues. Just follow sensible upgrade procedures, including reviewing any specific guidance offered by Netgate. Make your config backups, of course, for both your primary and secondary firewalls (assuming your CARP). I generally upgrade my secondary firewalls first, review the configuration and interface for interesting changes, then fail over to the secondary to ensure that everything is working as expected. Assuming all is fine on the secondary, I'll upgrade the primary and review its config. Then fail back to the primary, continuing to watch for issues. After upgrading both, I usually make a second set of backups with the upgraded pfSense, just so I have a baseline backup in the current (new) pfSense version. I always have the Auto Config Backup enabled on both primary and secondary firewalls, but I like to do the manual backups old-school style too.

My own typical config for the libraries I work is probably a little unique. I actually leverage linux host servers and run my pfSense boxes virtualized. It's an old tactic I've been using very successfully since the earliest days of virtualization. With some physical NICs in the servers dedicated to firewall activity, it works quite well for me. It also gives me the added advantage of being able to very simply make a complete and full backup of the full virtual machine for both my primary and secondary firewalls. So in the event of a major catastrophic upgrade failure, I can very easily just revert to the backup I (likely) made just before starting the upgrade and then everything is 100% back to normal. Leveraging the redundant firewalls, I can do everything (rebooting a firewall, backing up virtual machines, restoring virtual machines, whatever) live without end users ever noticing. (Redundancy is extremely useful!)

Honestly, I knew it has been under development, but I haven't really been paying all that much attention to specifically what's going on with the latest pfSense point release. I did skim the links you included to see if there was anything that seemed particularly scary. You're right about some major changes, but it's been done before. I'll take a little more care with this particular upgrade and ensure that I have my appropriate safety nets in place before I upgrade any of the firewalls, but I'm not overly concerned (in my own particular upgrade scenarios.)

What will concern me a bit more is when I need to upgrade single (non-CARP) firewall instances running on bare metal. I have a few libraries like that out there. I generally save those for last and try to ensure I have a safety net available if possible. I typically also upgrade a firewall like that only on-site at the library. I've been bitten before by a failed (semi-bricked) upgrade, where I wouldn't have been able to recover had I been trying to upgrade remotely. Ever since then, I've been a little more cautious with my choice of timing for the upgrade and my safety nets at those libraries.

Overall, I'm looking forward to the release. I'll be especially happy if it resolves a longstanding issue I've had with Captive Portal in 2.6.x!

Is there anything in particular that's concerning you with the 2.6 → 2.7 upgrade? Or is just intelligent due diligence and caution prompting your post?

Chad

______________________________
Chad Neeper
Senior Systems Engineer

Level 9 Networks
740-548-8070 (voice)
866-214-6607 (fax)

Full IT/Computer consulting services -- Specialized in public libraries

On Mon, Jun 26, 2023 at 3:40 PM Ron Woods via OPLINTECH <oplintech at lists.oplin.org> wrote:

Hi,

Are any other libraries out there using Pfsense? We have been using it here in STC for many years, it is a very solid extensible open source firewall system.

The newest version 2.7 is getting ready to drop here in a few weeks. 

https://www.netgate.com/blog/pfsense-rc-2.7.0-and-23.05.1

https://docs.netgate.com/pfsense/en/latest/releases/2-7-0.html

It is a pretty big upgrade from previous versions. on the backend they have overhauled the entire FreeBSD base from version 12 to 14, and they also had to make quite a few compatibility changes moving from PP 7.4.x to 8.2.6. As I had been following the Redmine very closely over the last year. 

https://redmine.pfsense.org/versions/70

If anyone else out there is using it, what are your upgrade plans come post June 29th? I have a set of identical hardware to my production box that I plan to convert my existing configuration to the new 2.7, and then i will create a backup box based on 2.6 with my current set up before i upgrade my production box. If anyone has any suggestions or things they are going to do, i'd appreciate it if you would post. 

Thanks!

Sincerely

Ron Woods
Computer Services Manager
St. Clairsville Public Library
740-695-2062 ext 619

https://www.stclibrary.org

_______________________________________________
OPLINTECH mailing list
OPLINTECH at lists.oplin.org
https://lists.oplin.org/mailman/listinfo/oplintech

****** Send text messages to your library's patrons for FREE: https://oplin.ohio.gov/sms******
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.oplin.org/pipermail/oplintech/attachments/20230627/ec60ad44/attachment-0001.htm>