OPNSense and BSD Boot Environments

I’ve been using OPNSense for my home firewall for many years now, and I previously ran it as a VM in a Proxmox virtual server. That worked great for my purposes, but I’ve since upgraded to a dedicated physical device (Protectli) running OPNSense and I love it.

However, with the migration away from a VM, I lost the ability to create a snapshot of the system prior to an upgrade - just in case something went wrong I could easily roll back.

Recently I learned about BSD Boot Environments and the bectl utility and how they can help fill that gap!

  1. Login via SSH and start a shell session

  2. List any current/previoius boot environment (BE) snapshots

root@opnsense-fw:~ # bectl list
BE     Active Mountpoint Space Created
22.7.2 -      -          1.04G 2021-09-05 10:57
22.7.4 -      -          388M  2022-09-02 09:28
22.7.5 NR     /          4.09G 2022-10-05 08:58

In the “Active” column, the “N” stands for “Now” and “R” is “Reboot”, showing which BE is active now vs after the next reboot.

  1. Create and activate a new BE
root@opnsense-fw:~ # bectl create [new_version]
root@opnsense-fw:~ # bectl activate [new_version]
  1. Reboot and upgrade
  2. Validate BE; Remove oldest BE
root@opnsense-fw:~ # bectl list
BE     Active Mountpoint Space Created
22.7.2 -      -          1.04G 2021-09-05 10:57
22.7.4 -      -          896M  2022-09-02 09:28
22.7.5 NR     /          4.84G 2022-10-05 08:58
root@opnsense-fw:~ # bectl destroy 22.7.2
root@opnsense-fw:~ # bectl list
BE     Active Mountpoint Space Created
22.7.4 -      -          1.13G 2022-09-02 09:28
22.7.5 NR     /          3.80G 2022-10-05 08:58