Syptec Support Center Syptec Helpdesk Knowledgebase SDC Announcements 2023
SDC Cloud - DO NOT UPGRADE PFSENSE to 2.7.X - 08/01/2023
Suggested knowledgebase articles:

SDC Cloud - DO NOT UPGRADE PFSENSE to 2.7.X - 08/01/2023

PFsense is great and wonderful solution.  Advice from the manufacturer and the developers should be keen advice when thinking about the upgrade process.  We have experienced several errors with the upgrade process.  Snort, Oinkmaster, MaxMind, PFBlocker, FEODO, OpenVPN, BandwidthD, and IPSEC have all shown signs of issue with the upgrade process.

 

There are future releases planned for a firewall based on 2.7.X .

 

From the vendor - Releases — 2.7.0 New Features and Changes | pfSense Documentation (netgate.com)

 

DANGER  -- 

Danger

This version includes newer ZFS features which may not be compatible with older boot loaders. These features are not enabled by default when upgrading to avoid potential problems with older boot loaders. Some ZFS commands run at the CLI, such as zpool status, may report that a pool can be upgraded, but doing so may also require manually updating the boot loader for the device to boot properly. Upgrading the ZFS pool is not necessary at this time. As such, the best practice is to leave it as-is. This will be handled automatically as needed in future updates.

Reinstalling the OS from current installation media will result in having the most recent boot loader and ZFS feature set.

 

 

Warning

As a part of the FreeBSD upgrade this version removes several deprecated IPsec algorithms:

  • 3DES Encryption

  • Blowfish Encryption

  • CAST 128 Encryption

  • MD5 HMAC Authentication

The best practice is to reconfigure tunnels using better encryption and test them before performing an upgrade to ensure a smoother transition.

On upgrade, IPsec tunnels will be adjusted to remove any deprecated algorithms from their configuration. The upgrade process will disable tunnels if they have no valid encryption or authentication options remaining. The upgrade process will notify the user of any changes it makes.

This change only affects IPsec and not other uses of these algorithms. For example, BGP can still use TCP-MD5 authentication.

 

Warning

Due to major changes in PHP and base OS versions, there is a higher than usual chance that packages will interfere with the upgrade process.

To give an upgrade the best possible chance of going smoothly, uninstall all packages before starting the upgrade.

Was this article helpful? Yes | No

Article Details

Article ID:
130
Category:
SDC Announcements 2023
Rating :

Related articles