Upgrading pfSense® on a High Availability Cluster

There is more to updating a cluster than the typical process, but in all updating a cluster is much less disruptive as the users will not have any downtime in most all cases.

If at any point in this procedure a failure condition is encountered, seek assistance from support.

Review the Changelog and Upgrade Guide

Before starting any part of an upgrade, first look at the Netgate Blog and release changelogs for any notable changes or items to be aware of between the version currently in use and the one that will be in use after upgrading.

Common issues are also listed in the upgrade guide, especially for major version upgrades.

Backup

Before starting, take a fresh backup from Diagnostics > Backup/Restore on both nodes.

Warning

Do not skip this step! A backup is quick and easy to do, and invaluable to have if the upgrade does not go as expected!

Download installation media for the release currently in use if a reinstall is necessary.

Upgrade Secondary

Perform the OS upgrade on the secondary node first. This way, if the upgrade fails, there is no interruption and if a reinstall is needed, it can be done without worry.

Test Secondary

Once the secondary has booted back up, login and confirm that it is running as expected. If all services are active, the CARP status is OK, and so on then it is time to test. Force a failover from the primary node by placing it into maintenance mode (See Testing Failover) and observe what happens on the secondary. If the secondary takes over OK and traffic continues to flow, then it is OK to proceed.

Upgrade Primary

With the primary node in maintenance mode, it is safe to upgrade without additional interference. Initiate the OS upgrade and let the system reboot. Once it has rebooted, confirm that local services are running as expected and then take the node out of maintenance mode.

Test Again

With both units on the current OS and active, run some final tests to ensure that services are operational, traffic is flowing, and that the CARP, DHCP, and other status areas are all running properly.