Upgrading pfsense

[Red Squirrel]

I decided to bite the bullet and upgrade to Pfsense 2.x. I'm at 1.2.3-RELEASE right now. I want to do the update through the web interface. Failing that I want to just install from scratch, so I want to download that package too in case I need it. Which files do I need?

http://mirror.picosecond.org/pfsense//updates/

I'm guessing pfSense-Full-Update-2.0.3-RELEASE-i386.tgz is what I want, but then, the others kinda sound like they make sense too. Is it maybe pfSense-2.0.3-RELEASE-2g-i386-nanobsd_vga-upgrade.img.gz that I need? There are several that are named practically the same. I want vga console support in case I mess something up and lose connectivity, is that what the vga part means?

 

[robertp221]

The nano release is for embedded devices usually as it is meant for install on a CF card. I had to look at this for the specificspage. The VGA file means it uses the VGA output instead of just the serial console. Depending on the way you installed it originally you are probably best off using the full i386 update. There is a i386 iso as well if you need to reinstall from a CD or USB drive.

 

[Red Squirrel]

Oh ok, figured nano was just the name of the distro pfsense used or something. So the pfSense-Full-Update-2.0.3-RELEASE-i386.tgz one is the one I want?

 

[PointandClick]

Yep, unless you're running on a CF card or similar then you'd probably want the embedded to limit writes to the drive.

 

[RocketTech]

I'd recommend the ISO or USB drive image for a full install.

 

[Red Squirrel]

I already have it running so I rather just upgrade. Pain trying to get a monitor and keyboard to it now.

 

[+Eric]

Upgrading is usually pretty painless although I've not done is form 1.2.3 to 2.x.

Make a backup of you config from the webui. Then it'll give you a single file and if something happens you can seamlessly restore your config from the file.....

 

[Red Squirrel]

Yeah did a backup, and will download the ISO too just in case so I have it. I'll probably go ahead with this tonight and hope for the best.

 

[Red Squirrel]

How long is this suppose to take? Still says "The firmware is now being updated. The firewall will reboot automatically." but I'm scared to hit refresh or do anything on that page.

Been close to an hour.

 

[Red Squirrel]

Oh, so apparently it's already upgraded LOL. Also looks like my Pentium 3 does not cut it anymore, I can't even saturate my DSL. Was meaning to upgrade the box anyway... so guess I will end up installing from ISO after all. That box has a SCSI drive in it anyway, I better replace it before the drive dies, then I'd really be screwed. I have a newer 1U server I'm not using, may as well put it to good use. I think it's a core2duo.

 

[Red Squirrel]

Well this sucks, the new box just wont take pfsense. It starts to boot then fails with this:

F1 pfSense
F6 PXE
Boot: F1
\

And just sits there forever. Guess it's time to build a new box. Damnit, was really hoping I would not need to spend more money. Should an Atom be ok to run Pfsense with 50/30 internet? Thinking of just getting one of those SuperMicro 1U boxes that are about the size of a switch. Low power usage, which is nice. I'll throw a SSD in it for the drive so no need to worry as much about failure given the low IO it will be getting.

Odly it only fucks up if I remove all drives but one. The raid controller is some crappy raid that requires the OS to be raid aware, so there's no point in using it, I just want to use one drive. Seems it wont let me do that for some reason. With all 4 drives it seems to boot fine. I don't see the point of having 3 drives that are spinning completely for nothing. It also has this thing where it resets the USB half way through the install which screws with my USB CDROM emulator hard drive (Basically uses an ISO to emulate a cdrom drive). But if I choose the install via USB option then it installs but wont boot.


Edit: Damnit. Does the same if I install from CD :/
And this was suppose to be a 5 minute thing before I go to bed, so much for that.

 

[naota]

I am using a Supermicro Server with an Atom D525 processor with 4 gigs of ram and it runs my 50X5 connection fine with the built in gig nics.

 

[RocketTech]

Looks like you'll have to connect the monitor and keyboard after all
I run PIIIs for pfSense and don't have the limitations you're seeing. Are you sure you grabbed the 32-bit and not the 64-bit build?
pfSense mainly uses the drive to boot and store logs (base install). If your pfSense box doesn't reboot often, it's possible the drive(s) or drive controller went bad.

 

[JohnYYC]

I use a Atom G530 with 2GB of RAM and it had no problems with me saturating a 100/10 connection but I've downgraded now to a unlimited 25/3 DSL connection to save some money. I also have two other boxes I manage, a P3 with 1GB of RAM with a 10/10 connection and a P4 with 512MB of RAM with a 50/3 connection both also have no issues saturating the connections.

If you want to make your life easier make sure what ever you buy has Intel NICs. pfsense is hit or miss usually with any other brand of NIC.

 

[Red Squirrel]

This is just built on nics, not sure what brand. The new box I'm trying to turn up is built on as well. Come to think of it I think it may have a 64 bit cpu. Wonder if I should have gotten then 64 bit version. I'm not sure what the processor is, I think it's a core2duo but it does not say, I'll find out if I can get an OS installed on it.

I wonder if I should try to install it on a USB stick and skip the hard drives altogether. Could the controller be causing issues?

 

[PointandClick]

Just a thought, is the controller integrated or is it a card? Are there any ports on the motherboard? Can you set the controller to AHCI?

A flash drive will work just fine assuming the board will boot from it. You may want to go with the embedded version if you go that route to limit writes and extend the drive life. My pfSense box is a Maxterm 8300 thin client. It was running off of a CF > IDE adapter, but I think something in the setup is corrupting the cards. I'm running off of a 1g flash drive right now but I need to either get a mini one that doesn't stick out or switch it out for another VIA board I have with internal USB headers.

 

[Red Squirrel]

Nope this (the new box) is an Asus 1U server so everything integrated. I think I saw an option for AHCI, right now it's set to IDE. I'll try AHCI tonight and see what happens. If I can get it working I'll upload the config and swap out the old box. Using 3 ports on the old box and this one only has 2 but I think I can use a vlan as the 3rd port on the box is simply a separate network for wifi. I'll have to experiment first with the current box.

 

[BigBadAl]

Just an fyi, I have untangle running on an atom d525 with 4GB on a 60/3. I've had to add a small fan to keep the temp down but it runs perfectly..

I think PFSense is much lighter on the resources than untangle.

 

[Nate7311]

Until you add every package under the sun, pfSense requires a small fraction of the resources that Untangle does.

 

[diizzy]

There are known issues where certain machines boots very slowly, have you waited lets say 20 minutes or so? It's obviously not an acceptable time for bootup but it may help debugging. You can also try turning off firewire and XHCI (USB3) if possible. As for performance a small MIPS platform would do fine and be much more efficient than an Atom box. Here's some raw transfer performance of a 500Mhz Dual-Core MIPS box running 10-CURRENT.

Client (Hanekawa)
FreeBSD 10.0-CURRENT #0: Mon Jun 10 08:59:30 UTC 2013

Server (Myuki)
FreeBSD 9.1-STABLE #5 r247012: Wed Feb 20 00:00:11 CET 2013

Client

root@hanekawa:/usr/ports/benchmarks/iperf # iperf -c 192.168.1.1
------------------------------------------------------------
Client connecting to 192.168.1.1, TCP port 5001
TCP window size: 32.5 KByte (default)
------------------------------------------------------------
[  3] local 192.168.1.244 port 44692 connected with 192.168.1.1 port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-10.0 sec   292 MBytes   245 Mbits/sec

Server

root@miyuki:/usr/ports/benchmarks/iperf # iperf -s
------------------------------------------------------------
Server listening on TCP port 5001
TCP window size: 64.0 KByte (default)
------------------------------------------------------------
[  4] local 192.168.1.1 port 5001 connected with 192.168.1.244 port 44692
[ ID] Interval       Transfer     Bandwidth
[  4]  0.0-10.0 sec   292 MBytes   245 Mbits/sec

..and UDP

Client

root@hanekawa:/usr/ports/benchmarks/iperf # iperf -c 192.168.1.1 -u -b 500m
------------------------------------------------------------
Client connecting to 192.168.1.1, UDP port 5001
Sending 1470 byte datagrams
UDP buffer size: 9.00 KByte (default)
------------------------------------------------------------
[  3] local 192.168.1.244 port 63088 connected with 192.168.1.1 port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-10.0 sec   337 MBytes   282 Mbits/sec
[  3] Sent 240095 datagrams
[  3] Server Report:
[  3]  0.0-10.0 sec   336 MBytes   282 Mbits/sec   0.051 ms  224/240094 (0.093%)
[  3]  0.0-10.0 sec  1 datagrams received out-of-order

Server

root@miyuki:/usr/ports/benchmarks/iperf # iperf -s -u
------------------------------------------------------------
Server listening on UDP port 5001
Receiving 1470 byte datagrams
UDP buffer size: 64.0 KByte (default)
------------------------------------------------------------
[  3] local 192.168.1.1 port 5001 connected with 192.168.1.244 port 63088
[ ID] Interval       Transfer     Bandwidth        Jitter   Lost/Total Datagrams
[  3]  0.0-10.0 sec   336 MBytes   282 Mbits/sec   0.051 ms  224/240094 (0.093%)
[  3]  0.0-10.0 sec  1 datagrams received out-of-order

 

[Red Squirrel]

trying to avoid buying anything new for now. If I can get it working on the newer box then I'll stick with that and retire the P3. The P3 box used to run a hospital though (netscreen) so it's odd it wont do pfsense 2.x very well. I max out around 3mbps. With 1.2.3 I would max out at about 6-7 which was most likely my DSL maxing out. Though I am set at 8 so maybe it actually was pfsense maxing out. The cpu would not peg at 100% though. Now if I run a speed test it pegs at 100%. On the old box, that is. Will try to get it to work on the new box when I get home from work. (this is the slowest going shift ever)

 

[Nate7311]

You won't have any issue, I used to rock a 15/2 cable line at my old house running to a 1st gen p3-500/128mb box with a Broadcom and Intel NIC. Currently, mine's in production at both home and office, virtualized under ESXi.

 

[diizzy]

Make sure you're running Intel NICs or similar (anything but Realtek is fine) and that you're not sharing IRQs. The latter is hardwired on older computers.
//Danne

 

[Red Squirrel]

Enabling AHCI and disabling APCI did not help, same thing, just get stuck at that F1 pfsense screen. (reinstalled).

As if the P3 can't even handle my DSL though... was really hoping I can just stick to that box. I can always revert back to pfsense 1.2.3 I guess, since it ran fine with that version. Now it maxes out at about 4-5mbps. oddly on my wifi I only get about 1mbps, but that has to go through a few more firewall rules to get out.

Is there anything I can enable/disable to make it more efficient maybe? I don't have any packages, but I wonder if there are some things in the new version that might take more resources?



Edit: For shits and giggles I'm going to zero out the hard drive. I wonder if when I tried to use onboard raid it did something weird to it.

While I'm in Linux, this is what the specs are:

Core2duo E4500
4GB of ram
2x Broadcom NetXtreme BCM5721 nics
Intel USB controller, PCI controller, memory controller etc
Intel 82801GR/GH ICH7 IDE controller (it's actually sata drives but guess it emulates as IDE)

Hopefully that might help a little more.

 

[Red Squirrel]

Got it to work!

Turns out zeroing out the drive actually fixed it. I still see that screen though but it then boots normally from that point. Guessing that is normal behaviour.

 

[JohnYYC]

I still see that screen though but it then boots normally from that point. Guessing that is normal behaviour.

Yup that's normal. Glad you got it working.

 

[Red Squirrel]

Yep, now onto vlans! (had a question posted here but figured I should make a new thread)

 

[diizzy]

Your P3 should do just fine unless you're doing something very wrong
//Danne

 

[Red Squirrel]

It was doing fine, till I upgraded to 2.x. I was unable to push more than a few mbs through it. I was doing a speed test and was not even getting half of my DSL speed. Now with the core2duo it seems to be ok. Guess with the P3 I was right on the edge, and the software upgrade probably tipped it over. I probably would not have been getting much faster once I get my fibre. Hopefully the core2duo will do fine.

 

[diizzy]

It's something wrong the build then, my MIPS box is a lot slower than a P3 CPU and it pushes at least 60mbit+ using pf.
Use top and look where all time is spended, also are you using Realtek NICs?
//Danne

 

[Red Squirrel]

Too late, now swapped it out. Not sure what kind of nics where in there, maybe it was realteks, though this box used to run a whole hospital, so I'm kind of baffled why it was not able to push more than a couple mbps, and only after an upgrade. The new box works fine though, I'm pushing 6-7mbps which is what my DSL can do.