pfSense - Built In Protection and Upgrades
pfSense installation has built in mechanism to support replicating prior configuration across upgrades.
pfSense is a customised distribution of FreeBSD specifically tailored for TCP/IP Firewall and Routing.
I have used it internally as Virtual Router (VNF - Virtual Network Function) for cloud network testing and was using a now old version 2.4.3, which is based on FreeBSD 11.1 . I deliberately avoided upgrading until a version was available based on FreeBSD 12.3 as there was black hole with networking due to netmap bug with QEMU/KVM machines.
So waiting for fix of virtio/netmap bugs, which are both resolved in FreeBSD 12.3 meant waiting for qfSense 2.6.X series realease, was period of nearly 4 years...
So with pfSense 2.6 released (based on FreeBSD 12.3) I finally decideed to do update, via console. This failed as the difference between version was too big: FreeBSD 11.1 -> 12.3 and pfSense 2.4 -> 2.6.
So question was how could you update the pfSense VMs to 2.6,X series ?
Simple Upgrade Procedure
As there was no simple update available the option for upgrading looked to be to:
- Backup the configuration - pfSense keeps its configuration in central XML file ("config.xml")
- Create new pfSense VM - create new pfSense VM
- Restore configuration - via XML configuratoin back file
The problem is that the documented approach relies on using the Web UI, when what I wanted was a way to do this via console / shell.
Further reading described that the pfSense keeps in configuration in directory "/cf":
# ls -R /cf
conf
/cf/conf:
backup
config.xml
copynotice_display
copynotice_version
deprecated_load_balancer.xml
installer_copied_config
rules.debug.old
upgrade_log.txt
/cf/conf/backup:
backup.cache
config-1532574366.xml
So likely solution was to go into Shell, tar up the configuration directly and then ftp it off the box so it could then be used to restore into new VM,
Again reading the documentation, it alluded to such a mechanism, in the "Automatically Restore Configuation During Installation" using an USB key to read prior configuration from.
On physical machine using USB is fine but on VM this is extra work... but then its describes the "Recover config.xml From Existing Installation" which:
- "The recovery process attempts to repair the filesystem on the disk up to 10 times, then mounts the disk and looks for the existing configuration file. If it is able to find and read the configuration file, the recovery process copies it to a temporary RAM disk during the installation process."
Ahhh light bulb moment!!! I can just do the upgrade by installing over the top of the existing pfSense installation and it read existing config.xml and apply this to new installation.
Why don't they just write this is plain simple english and right at the front of the installation guide and provide guideance when the "update" fails when the version to to old to update ?
So as a precaution, I copied my exsting VM disk image for backup and then proceeded to install pfSense 2.6 on top of the old and un-updateable 2.4.3 installation:
This worked without a hitch, so the frustrating become trival very quickly.
pfSense 2.6 also has new Console selections to "14) Enable Secure Shell (sshd)" and to "15) Restore recent configuration". These will make it easier to manage your pfSense "routers".
References & Links:
pFSense / FreeBSD Versions - are documented and the most recently used version is FreeBSD 12.3. This means that pFSense was affected by 11.2 to 12.2 netmap/virtio bugs, which affects networking on QEMU / KVM
netmap bug on QEMU / KVM - meant that to get FreeBSD networking to work required building custom kernel to disable netmap. This was fixed with 11.4
pfSense Backup / Recovery Documentation - focuses on using Web UI for backup / restore operations