I spent a few hours this afternoon upgrading some of the work firewalls, which run pfSesne, from v1.2 to v1.2.1. Which was released a few days ago. Here are my notes and warnings after following the Install and Upgrade documentation.

In theory, the upgrade is meant to be fairly straight forward. You can try to do an online upgrade. However there are documented issues with that. The other option is to reinstall, which in this case means: reflash the CF cards. So long as you have a config backup then you can simply restore your settings and off you go. All in all:

  1. Download the new image file
  2. Stick the CF card in your CF card adapter
  3. zcat pfsense.img.gz | dd of=/dev/XYZ bs=16k
  4. Stick the CF card back in the firewall
  5. Boot and restore the config

Gotcha #1: The new image does not have any network setup by default. In theory, once again, you should have a serial cable (DSUB 9) that you use to access the serial console of your firewall. Configure a LAN interface address, then use the web interface to restore the config file. Unfortunately I did not have a serial cable; we’ll leave why out of it. I dealt with this by building a config file within the embedded image before writing to the CF card. You’ll need QEMU to do this. Note these steps derived from the Mac_OS_X_together_with_qemu section of the Install documentation.

# Unzip the embedded image and start it with QEMU;
# - Two NICs LAN / WAN
# - The qemu command is all one line
gunzip pfsense.img.gz
qemu -hda pfsense.img -net nic,vlan=0 -net nic,vlan=1 -serial telnet::7890,server,nowait
# Now open a terminal and fake a serial console with telnet
telnet localhost 7890
# You'll need to configure your network devices during boot.
# I used generic settings so I could flash the image to multiple cards
# When you reach the main menu push 8 for a shell
mount -u /cf
cd /conf
vi config.xml
# Check the interfaces are configured properly then
exit
# Choose option 6 to halt the emulated machine.
# Write the updated image to your CF card
dd if=pfsense.img of=/dev/XYZ bs=16k

QEMU is available for most major incarnations of most operating systems. The above are fairly Linux specific but should be easy enough to translate; dd is a physical disk dump program.

Gotcha #2: Bogon Networks! Are updated by a cron script on the 1st of each month at 3:01AM. Unfortunately the default list includes IP’s assigned by Optus Wireless Broadband – which means if I’m using one of Works USB modems I can’t access the servers. That’s bad!. Really the bogon list should be updated during the setup wizard if you turn bogon filtering on. See this pfSense forum topic for how to manually update your bogon filter.

Gotcha #3: Your backup config file DOES NOT contain certain settings. OpenVPN configurations for example. Make sure you have a copy of any custom settings not contained in the backup config file; otherwise be prepared to reconfigure.

And that’s all.