OPNsense Forum
English Forums => General Discussion => Topic started by: penley on July 28, 2016, 10:16:40 pm
-
Hello,
I need some guidance with upgrading OPNsense.
My question is does OPNsense need to be upgraded sequentially? Will it do it on its own or can we jump major versions? For instance I have an OPNsense firewall currently at version 15.7.18_1. It's not been upgraded in a while because it's in production and just now we have some down time to upgrade it. We want to upgrade to the latest version 16.7.
I'll continue to search the forums and post anything I find here.
Kind regards,
penley
-
Hi penley,
15.7.18 is pretty old, but the upgrade path is still there. The transition goes through a few "critical sections", where major or incompatible changes occurred.
In your case, 15.7.25 will be the next stop, afterwards that will upgrade to 16.1.20, and the last update will take you to 16.7. Both 15.7.25 and 16.1.20 are End-Of-Life releases that have migration hints visible in the firmware page so you get a chance to review and adapt.
In overall terms, the changes have been mostly harmless breakage or fully backwards-compatible. The biggest transition that we have had was the captive portal, which was completely replaced for 16.1.
You can find all the release notes here for further reference:
https://github.com/opnsense/changelog/tree/master/doc
Cheers,
Franco
-
Hello Franco,
Thank you very much for your reply.
The main concern was that the OpenVPN configurations we have in place would dissolve between upgrades.
I've finally gotten a test scenario up as a precaution and will test before I hit the live machine.
Thank you again.
Kind regards,
penley
-
Hi Penley,
OpenVPN is one of the subsystems that underwent the least amount of change, both in OpenVPN client/server software itself and how it works in OPNsense. Make sure you have a config backup handy at all times and with your old configuration wait for 16.7.1 to hit as it has a compatibility fix with very old configurations and interfaces.
If you're able to go to 16.1.20 while keeping OpenVPN running, the final jump to 16.7.1 is rather small. :)
Cheers,
Franco
-
I was able to spin up a test environment for 15.7.18_1 and update with no problems.
However, an opportunity has presented itself to update the live opnsense 15.7.18_1 device and I get a connection error when fetching updates. I've tried to update from the console, but it times out there as well. It just says "updating repository catalogue... pkg:http://pkg.opnsense.org/FreeBSD:10:amd64/15.7/latest/meta.txz: Operation timed out. repository OPNsense has no meta file, using default settings."
I'll keep looking at it, but thought I'd share this in case anyone else has had a similar issue with 15.7.18_1.
-
Which mirror are you using?
Could be that the one you're using doesn't have the older patches you need anymore.
Guessing here, but just a thought. Fitch can no doubt tell you more.
-
You're spot on I think. I changed mirrors and it upgraded to 15.7.25. Now I'm upgrading to 16.7, but currently the progress is spinning on "[68/87] Deleting files for opnsense-15.7.25:".
It's been sitting there for a little while now, but I'm just being patient and letting it run. Hopefully it's doing something in the background.
Thank you for your response!
kind regards,
penley
-
Glad to see it helped.
Some packages may have a gazillion files to delete, so indeed, be patient :-)
-
As an added thought, not all updates require a reboot.
Mainly the ones with a new kernel again.
Obviously some services may be restarted, but update/downtime can be as low as seconds.
-
I refreshed my browser after 80 minutes and had to log back in. When I fetched updates again it updated to 16.7.5. One thing I've noticed though is that the Openvpn interface is not in the firewall rules. It is in my test machine, but it's not showing on the production side.
I'm not sure why just yet.
I tried to restore the firewall rules to see if that would fix it, but I receive this error message "The following input errors were detected: You have selected to restore an area but we could not locate the correct xml tag."
-
Just giving an update. The system is upgraded to 16.7.5.
Openvpn was missing from the firewall rules tab, but I got it to come up by doing the following: rebooted and then added a bogus openvpn server. After I added the bogus vpn server the OpenVPN interface showed up in the firewall rules tab with the correct configurations from the previous openvpn rules created. I then deleted the bogus server and rebooted. The openvpn interface remained in the firewall rules tab after reboot.
Thank you for all your help Franco and Weust. It is very much appreciated.
I think things are settling down now, so I'll just be keeping an eye on it.
Kind regards,
penley
-
Cool. And try to update a bit more regularly then once a year ;)
-
Hi penley,
I remember the upgrade "stop" bug and the OpenVPN interface tab issue. Both fixed in recent versions.
The interface plugging has been updated dramatically, it just needed a config write in the OpenVPN setting fix your issue.
The firmware getting stuck was never stuck, the frontend simply detached and could not reattach. These days you can hit refresh in your browser to see if it's still running as it will jump right back to the current progress.
Enjoy 16.7 and try to upgrade a little more frequently in the future to lower the barrier for upgrades in the future. :)
Cheers,
Franco
-
Hi franco and weust,
Thank you very much for all ya'lls help.
I will be more careful in the future to update more frequently.
kind regards,
penley