Troubleshooting Upgrades on Netgate 1100 and Netgate 2100 Devices¶

Some older installations of pfSense Plus software on Netgate 1100, Netgate 2100, and Netgate 2100 MAX devices contain an EFI partition which does not have sufficient space to accommodate the new EFI loader for version 23.01 and later. This primarily affects UFS-based systems initially installed with pfSense Plus software version 21.02-p1 or before.

Upgrade Notice¶

Users of affected devices will see a warning about the EFI partition when attempting to upgrade.

When the upgrade check runs, it inspects the system for this problem and files a notice if it identifies a problem:

Notice in the GUI after upgrade check¶

A similar notice is printed at the command line when checking for updates there:

: pfSense-upgrade -c
ERROR: Cannot update the EFI loader on this device. Contact TAC at
https://www.netgate.com/tac-support-request for assistance upgrading this device.

Check if the Device is Affected¶

Users can inspect the EFI partition size by checking the output of gpart show.

If the EFI partition size is small (800K), then the device must be reinstalled. Larger EFI partition sizes (64M or larger) are OK.

This example is a device with an undersized EFI partition:

: gpart show
=>       1  15269887  diskid/DISK-B1C82821  MBR  (7.3G)
         1      1600                     1  efi  (800K)
      1601     70012                     2  fat32  (34M)
     71613  15198275                     3  freebsd  (7.2G)

Note the size of the efi type partition, which is 800K.

This example is a device with an EFI partition which can be upgraded:

: gpart show
=>       1  15269887  mmcsd0  MBR  (7.3G)
         1    409600       1  efi  (200M)
    409601     70012       2  fat32  (34M)
    479613  14790275       3  freebsd  [active]  (7.1G)

Take a Backup¶

Before altering the system, take a local backup. This backup can be restored at the end of the procedure to retain all current settings.

Tip

Use the AutoConfigBackup (ACB) service to store a remote backup, but be sure to note the current device key in ACB as reinstalling will result in the system having a different key unless a backup containing the previous SSH key data is restored.

While AutoConfigBackup is convenient for off-site backups, local file backups can optionally hold and restore much more data including SSH keys, RRD files, and DHCP lease data. Backing up and restoring all of the extra data is not strictly necessary but it makes for a much smoother transition during this kind of reinstallation. Additionally, a local backup can be used with a function such as the External Configuration Locator (ECL) to automatically restore the configuration on the first boot after reinstalling.

Reinstall to Upgrade¶

Users with affected units must reinstall pfSense Plus software to run version 23.01 or later.

To perform this procedure:

Contact Netgate TAC to obtain the recovery installer image for the target platform
Follow the reinstallation instructions in the product manual for the device:
- Netgate 1100 Reinstallation Procedure
- Netgate 2100 Reinstallation Procedure

Tip

This is a perfect opportunity to change filesystems from UFS to ZFS!

ZFS is more reliable and has more features than UFS (e.g. ZFS Boot Environments), however ZFS can be memory hungry. Either filesystem will work, but if RAM usage is critical to other tasks that will run on this firewall, UFS can be a more conservative choice. ZFS memory usage can be tuned, however, so that shouldn’t be the only deciding factor. See ZFS Tuning for details.

Restore the Backup¶

Restore a backup file after completing the installation using a local file, Using the AutoConfigBackup Service, or another method such as ECL.

See Restoring from Backups for information on the various methods available to restore configuration data.