Any version of pfSense can be reliably upgraded to any newer version while retaining the existing configuration. This includes RC, Beta, and other releases. So long as the firmware is moving from an older version to a newer version, it will work unless noted otherwise. Keeping a local and remote copy of the backup config. There is a chance that a regression from one version to another, either in the pfSense or FreeBSD code, can leave the firewall unusable.
With some advance planning, the firewall can quickly be returned to the previous release. Very rarely is it desirable or necessary to go back to a prior release. Should that be necessary, the previous version must be reinstalled and a configuration backup from that version must be restored.
Configurations from newer versions cannot be restored to older versions. The pre-upgrade configuration will need to be restored restored after the switch. In this case, reinstall. For a full install, this means reinstalling from a CD or Memstick for the previous release. Download the appropriate image and have it ready before starting the upgrade procedure.
This is the least likely scenario, with maybe one in every ten or twenty thousand installs affected with upgrades containing significant FreeBSD release changes such as pfSense 1. This way, if anything should go wrong, it can easily roll back to a known-good state.
Packages will be reinstalled afterward, but are frequently a source of problems. To ensure a smooth upgrade, note the installed packages, remove them, perform the upgrade, and then reinstall whichever packages are necessary.
The most reliable method to change architecture is to reinstall and restore the configuration. The configuration file is the same on both versions.
All RRD history will be lost, this cannot be converted. Also after the upgrade, the reboot binary will be bit which cannot run on a bit platform, so the system will fail to reboot on its own.
The firewall must be power cycled to complete the upgrade. Many users have done this upgrade without seeing any caveats other than this, but it is not recommended. If the firewall is running 2. The restore could be done after a reinstall or in-place upgrade changing the architecture, but the data must be backed up before the switch is made. If this is done on a 32 bit system, and that configuration later restored to a 64 bit system, the next upgrade of the restored system will switch it to 32 bit.
Then your system will remain on its current architecture. For those using an embedded release from before pfSense 1. Given the age of such systems, it is likely that the CF or other media would need replaced instead. WRAP systems will not work with stock pfSense 1. Some old packages can cause problems with the configuration upgrade process, or possibly prevent the system from booting at all in some rare cases. After the upgrade is complete, the packages can be reinstalled.
The configuration is automatically retained. The management directive must be removed or the status of the VPN instance will not be properly reported. The RADIUS server will need to have these values updated to bps for proper functionality once the firewall has been upgraded to pfSense 2. These characters causes invalid XML when they are stored directly, and as such if pfSense 1. Fix the errors, and then the corrected configuration can be used for an upgrade.
Additionally, if upgrading from pfSense 2. This is done because otherwise the LAN-side states were not killed appropriately, and thus some connections would be in limbo, especially SIP. Due to the change in its behavior, State Killing on Gateway Failure is disabled by default in new configurations and is disabled during upgrade to pfSense 2. If the feature is desired even with its new behavior, it must be manually re-enabled post-upgrade.
To allow IPv6 traffic after an upgrade, the setting must be changed manually. It defaults to allowed for new configurations. Changes to policy route negation between pfSense 2. This most commonly presents as an inability to reach local networks after upgrading.
The automatic policy route negation rules on pfSense 2. To ensure proper routing to other local interfaces, VPNs, or static route networks rules must be added to the local interfaces to pass traffic to these destinations without a gateway set. And that rule must be above any others that would match and have a gateway set. We advise uninstalling packages prior to upgrade to avoid issues with the conversion from tbz packages to PBI packages.
If the packages are not removed before the upgrade, some binaries may be left in place. This has been fixed on pfSense 2. Bug Limiters cannot be used where pfsync is enabled. Existing configurations should work the same as always, but if any unusual configurations are present, take care in testing after the upgrade. Any site to site IPsec VPNs using aggressive mode with racoon as a remote endpoint should change to main mode to prevent this from being an issue.
Main mode is preferable regardless. Input validation in 2. If your mobile IPsec clients need to access the Internet via IPsec, your mobile phase 2 must specify 0. Change the phase 1 identifiers so they really do match to resolve this. This does not always extend to virtualized disk drivers, however see the Xen note below.
There may be BIOS changes or other workarounds to help. For most, disabling these manually is no longer necessary. This can cause Xen to automatically change the disk and network device names during an upgrade to pfSense 2. The NIC device change issue has no workaround. Manual reassignment is required at this time. Manually reassigning the interfaces or correcting them in config. If an upgraded mirror does not boot or function on 2.
For most, the changes we have made to accommodate this new system will be transparent, but there are some potential issues, such as: This is a problem with the FreeBSD driver and must be fixed upstream. It may return in a future release. Use of FTP is strongly discouraged as credentials are transmitted insecurely in plain text.
You can retain the lagg behavior in pfSense 2. You can configure this in 2. It will result in a harmless cosmetic error in the logs on 2. If you have more than one LAGG interface configured, you will need to enter a tunable for each since that is a per-interface option. So for lagg1, you would add the following. The old tunable was: This must be changed to: The fact it worked before was technically a bug, acting in violation of RFC The default behavior on pfSense 2. Should this behavior be required, it may be allowed by manually adding a tunable as follows: It would be wise to enter the URL to this note or a similar note.