Troubleshooting Upgrades on Netgate 1100 and Netgate 2100 Devices

Low Available RAM

Hardware with 1 GiB or less available memory may have issues upgrading depending on which features, services, or packages are running. This includes some Netgate hardware such as the Netgate 1100 when running with ZFS and/or certain services/packages. For the best chance of success in these cases, temporarily disable any non-critical services before starting the upgrade.


A Pre-Upgrade Reboot can also temporarily reduce memory used for ZFS caching, which can help in this situation as well.

EFI Partition Size

Some older installations of pfSense Plus software on Netgate 1100, Netgate 2100, and Netgate 2100 MAX devices contain an EFI partition which does not have sufficient space to accommodate the new EFI loader for version 23.01 and later. This primarily affects UFS-based systems initially installed with pfSense Plus software version 21.02-p1 or before.

Upgrade Notice

Users of affected devices will see a warning about the EFI partition when attempting to upgrade.

When the upgrade check runs, it inspects the system for this problem and files a notice if it identifies a problem:


Notice in the GUI after upgrade check

A similar notice is printed at the command line when checking for updates there:

: pfSense-upgrade -c
ERROR: Cannot update the EFI loader on this device. Contact TAC at for assistance upgrading this device.

Check if the Device is Affected

Users can inspect the EFI partition size by checking the output of gpart show.

If the EFI partition size is small (800K), then the device must be reinstalled. Larger EFI partition sizes (64M or larger) are OK.

This example is a device with an undersized EFI partition:

: gpart show
=>       1  15269887  diskid/DISK-B1C82821  MBR  (7.3G)
         1      1600                     1  efi  (800K)
      1601     70012                     2  fat32  (34M)
     71613  15198275                     3  freebsd  (7.2G)

Note the size of the efi type partition, which is 800K.

This example is a device with an EFI partition which can be upgraded:

: gpart show
=>       1  15269887  mmcsd0  MBR  (7.3G)
         1    409600       1  efi  (200M)
    409601     70012       2  fat32  (34M)
    479613  14790275       3  freebsd  [active]  (7.1G)

Take a Backup

Before altering the system, take a local backup. This backup can be restored at the end of the procedure to retain all current settings.


Use the AutoConfigBackup (ACB) service to store a remote backup, but be sure to note the current device key in ACB as reinstalling will result in the system having a different key unless a backup containing the previous SSH key data is restored.

While AutoConfigBackup is convenient for off-site backups, local file backups can optionally hold and restore much more data including SSH keys, RRD files, and DHCP lease data. Backing up and restoring all of the extra data is not strictly necessary but it makes for a much smoother transition during this kind of reinstallation. Additionally, a local backup can be used with a function such as the External Configuration Locator (ECL) to automatically restore the configuration on the first boot after reinstalling.

Reinstall to Upgrade

Users with affected units must reinstall pfSense Plus software to run version 23.01 or later.

To perform this procedure:


This is a perfect opportunity to change filesystems from UFS to ZFS!

ZFS is more reliable and has more features than UFS (e.g. ZFS Boot Environments), however ZFS can be memory hungry. Either filesystem will work, but if RAM usage is critical to other tasks that will run on this firewall, UFS can be a more conservative choice. ZFS memory usage can be tuned, however, so that shouldn’t be the only deciding factor. See ZFS Tuning for details.

Restore the Backup

Restore a backup file after completing the installation using a local file, Using the AutoConfigBackup Service, or another method such as ECL.

See Restoring from Backups for information on the various methods available to restore configuration data.