Upgrading a VPC Instance¶
Periodically, new releases of the AMI are issued to track new releases of pfSense® that may provide new functionality, bug fixes, and security updates.
The lower risk approach to upgrading is to bring up a new instance alongside the existing one and executing a cutover. These instructions detail the procedure for moving your existing instance to one running the latest version.
Back up the configuration of your exsting instance by navigating to Backup/Restore under the Diagnostics menu in the Web GUI. Click the Download configuration button under the Backup Configuration heading and save your config file to your local system.
Bring up a new instance of the pfSense Certified Router/Firewall/VPN running the latest version.
When creating the instance, make sure the interfaces match the interfaces on the existing instance. Make sure that the new instance is in the same VPC as the existing instance and that it has the same number of interfaces attached and that the interfaces are connected to the same Subnets.
Make sure any interfaces on the new instance that will communicate with private Subnets have the Source/Destination check disabled.
Allocate a new Elastic IP and associate it to the WAN interface of the new instance to allow yourself management access.
Restore the backed up configuration file to the new instance. Navigate to Backup/Restore under the Diagnostics menu in the Web GUI. Under the Restore Configuration heading, click the Choose File button and browse for the configuration file you backed up from the existing instance earlier. Once you have selected that file, click the Restore configuration button. The configuration file will be uploaded and the instance will reboot automatically.
If you had packages installed on the old instance, navigate to Packages under the System menu in the pfSense web GUI and install the same packages.
If there was any external dependency on the public IP address of the existing instance, you can remove the Elastic IP Address from the upgraded instance and move the Elastic IP Address from the existing instance to the upgraded instance. External dependencies that might cause you to want to do this include things like VPN’s configured to external devices that rely on the existing instance’s Elastic IP address, or access lists on external devices that allow access to traffic from the existing instance’s IP address. There may be other reasons why you would wish to keep the existing address as well (to preserve existing bookmarks to the Web GUI, reduce the need for updates to existing internal documentation, etc). The process for moving the old Elastic IP address to the new instance is as follows:
Disassociate the Elastic IP address from the new instance. In the EC2 Management Console, click on Elastic IPs under the Network & Security heading. Check the box next to the Elastic IP address assigned to the new instance and click on the Disassociate Address button.
Disassociate the Elastic IP address from the old instance. The procedure is the same as in the previous step, just repeated for the Eastic IP address of the old instance this time.
Associate the Elastic IP address that was previously associated to the old instance to public interface of the new instance. In the EC2 Management Console, click on Elastic IPs. Check the box next to the Elastic IP address you are moving and click the Associate Address button. Fill in the correct value for the Instance or Network Interface and select the Private IP Address of the public interface on the new instance. Click the Associate button. The management interface of the new instance should now be accessible.
Move any default routes that pointed to an interface on the old instance to point to the equivalent interface on the new instance. In the VPC Management Console, click on Route Tables under the Virtual Private Cloud heading. Check the box next to a Route Table associated with the VPC that the instances is located in.
In the detail pane that appears at the bottom of the screen, click on the Routes tab.
If a route exists for 0.0.0.0/0 with a Target that is an interface ID of an interface on the old instnace, click the Edit button above the table displaying the routes.
Click the red X next to the row for 0.0.0.0/0 to remove the existing route.
There should be a blank row with empty fields for a new route. Enter
0.0.0.0/0in the Destination field and the Network Interface ID of the interface on the new instance in the Target field. Click on the Save button.
If there were multiple private subnets in the VPC which were pointed to interfaces on the pfSense instance, repeat this process for the other Route Tables associated with the VPC.
The new instance should now be functioning as the old one did.