pfSense » pfSense Plus

While pre-configuring a Netgate 6100 appliance for deployment at a customer site, we encountered unexpected behavior with the Automatic Boot Verification mechanism that resulted in an automatic rollback to a previous Boot Environment when the system was rebooted without Internet connectivity.

The rollback also reverted the system to the previous pfSense Plus software version, even though no software failure occurred.

Configuration steps to reproduce:

• Unbox a new Netgate 6100 and boot the system, configure WAN to DHCP and connect it to a network with Internet access and complete the firewall configuration for the site (interfaces, subnets, firewall rules, etc.).
• Upgrade pfSense Plus from 25.07.1 (factory version) to 25.11.1 (WAN remains configured for DHCP at this stage).
• Verify that the system is fully functional and everything works as expected.
• As the final preparation step before deployment: Change the WAN interface from DHCP to static IPv4 and select the corresponding gateway as the system's default gateway.
• Reboot the firewall one last time while still in the office environment to ensure everything works (of course, this time system lacks Internet connectivity because the WAN interface is already pre=configured to static IPv4 for deployment at the customer site.)

Observed behavior:

• The WebGUI displays the banner: “Automatic Boot Verification is still running, please wait...” which seems to remain indefinitely after reboot and after some time becomes heavily unresponsive. The firewall also stops responding to ICMP ping requests some time later.
• The system reboots and performs a rollback to the previous Boot Environment (which was automatically created before upgrading to 25.11.1) which is also indicated by the corresponding banner "Boot verification failed for default. Netgate pfSense Plus was automatically rebooted back into default_202601XXXXXXX" in the WebGUI.
• The rollback to the previous Boot Environment restores both, the previous software version (25.07.1) and the previous WAN configuration which leads to restoring Internet connectivity.

Expected behavior:

• The system should not perform a rollback to a previous Boot Environment solely because Internet connectivity is unavailable after a reboot.
• An intentional configuration change that (temporarily) removes Internet connectivity should not inevitable cause "Automatic boot verification" to fail.

Additional observations / thoughts:

• Because no manual Boot Environment was created after upgrading to 25.11.1 and before/after changing the WAN configuration, the only available "previous" BE was the one which was automatically created by the upgrade from 25.07.1 to 25.11.1
• Because the "Automatic Boot verification" process / the BE feature operates on ZFS snapshots rather than pfSense config versions, it cannot distinguish between the software upgrade from 25.07.1 to 25.11.1 and the subsequent WAN configuration change. Consequently, the rollback to the previous Boot Environment reverts also the pfSense Plus software version.
• According to this Youtube video [1] by one of Netgate's engineers, "a watchdog timer is started that simply reboots the system after a fixed period of time" into the previous Boot Environment if boot verification does not complete.
• It appears that the system is not able to stop the watchdog timer (or the watchdog timer is intentionally not stopped ?!) if the system lacks internet connectivity.

Questions regarding Automatic Boot verification / Boot Environments feature:

• Is Internet connectivity a requirement for Automatic Boot Verification to complete successfully e.g. is Internet connectivity needed within the first 5 minutes (I read somewhere that the watchdog has a timeout of 300s) to sucessefully stop the watchdog?
• What steps or countermeasures are required to prevent the system from automatically roll back to a previous Boot Environment if Internet connectivity is unavailable during, or shortly after, boot?

[1] "Deep Dive into the NEW ZFS Boot Environments feature in pfSense Plus v24.03": https://www.youtube.com/watch?v=LKtE0zxnF4I

We would like to fully understand this behavior. Thank you for looking into this.