Starlink problem with SG2440 22.05
-
@gertjan said in Starlink problem with SG2440 22.05:
@a-bursell said in Starlink problem with SG2440 22.05:
old Netgear router I had kicking around and I am typing this on that setup now. It was literally plug-and-play.
Because it doesn't use "192.168.1.1/24" as a LAN setup.
So, easy, set-up pfSense to use something else as "192.168.1.1/24"on its LAN.
Use for example 192.168.2.1/24 on its LAN, set up the DHCP server for LAN accordingly and you'll be fine.Thanks for the reply.
I thought I mentioned I did change the IP of pfSense to 10.0.0.1 - I recognized the conflict. But I still had the same issue. Unless I didn't give it enough time or didn't reboot it enough? But it appeared to be working. I changed the IP and adjusted the DHCP range both and was able to pull an address...? -
Ok, so pfSense is pulling a DHCP lease from the starlink router in the 192.168.1.X subnet?
You said you can ping by IP and by name? That implies it's not a DNS issue. How exactly are you testing that?
Try testing from Diag > Ping in the gui. Also try Diag > DNS lookup.Make sure you have a valid default route in Diag > Routes.
Steve
-
@stephenw10 said in Starlink problem with SG2440 22.05:
Ok, so pfSense is pulling a DHCP lease from the starlink router in the 192.168.1.X subnet?
You said you can ping by IP and by name? That implies it's not a DNS issue. How exactly are you testing that?
Try testing from Diag > Ping in the gui. Also try Diag > DNS lookup.Make sure you have a valid default route in Diag > Routes.
Steve
Thanks for the reply.
I just re-loaded my known working settings from my previous setup and again verified that they work. Then, I changed the LAN IP to 192.168.2.1, as well as matching the DHCP server. I connected Starlink to the WAN port (and unplugged the OPT1 and OPT2, and connected a PC directly to the LAN port. I rebooted Starlink, but left it in it's default router state.Result - I pulled an IP address on the PC in the 192.168.2.164 range. pfSense gets an IP of 192.168.1.164 and IPv6 from Starlink. Starlink shows as a gateway in pfSense with an IP of 192.168.1.1. I rebooted pfSense. So far so good.
Diag>Ping
I can successfully ping SOME sites, like www.google.com - but others like www.apple.com, for example, fail.Diag>DNS
I can successfully use DNS on SOME sites. Example - www.ebay.com comes up very fast on all DNS servers (including local), but others like www.microsoft.com sit and sit and then fail (local shows 3ms but others could not resolve).Diag>Routes
Believe this shows correct but did not look at this screen before - Default is 192.168.1.1 on igb0 as well as 8.8.8.8. Other entries show Link #'s - Link #1 for 192.168.1.0/24 and 192.168.1.164 (my PC IP) - Link # 2 for 192.168.2.0/24 and 192.168.2.1. The entry for 127.0.0.1 shows Link #6. There are a whole host of IPv6 routes shown as well. I'm not familiar with this screen so I don't know if it's correct or not (though I can go back and check my other setup).Does any of this help?
Adam
-
@a-bursell said in Starlink problem with SG2440 22.05:
(and unplugged the OPT1 and OPT2, and connected a PC directly to the LAN port
You should know that, when pfSense is installed, only a WAN and LAN exist.
Any other interface can be assigned afterwards as a extra LAN or extra WAN interface.
When you create a OPTx interface, it will not have a IP set-up : you have add one.
Like 192.168.2.1 mask 24
It also have to set up a DHCP server on that interface.
You will also have to add firewall rules for that OPT interface. NO rules means : no traffic will enter that interface, as the default is block everything. -
@gertjan said in Starlink problem with SG2440 22.05:
@a-bursell said in Starlink problem with SG2440 22.05:
(and unplugged the OPT1 and OPT2, and connected a PC directly to the LAN port
You should know that, when pfSense is installed, only a WAN and LAN exist.
Any other interface can be assigned afterwards as a extra LAN or extra WAN interface.
When you create a OPTx interface, it will not have a IP set-up : you have add one.
Like 192.168.2.1 mask 24
It also have to set up a DHCP server on that interface.
You will also have to add firewall rules for that OPT interface. NO rules means : no traffic will enter that interface, as the default is block everything.Yes- understood. I mentioned I had a 3-WAN setup- when I unplugged OPT1 and OPT2 I was eliminating any potential issues there during this troubleshooting. They were not in use as additional LAN ports and it did not make any difference. So current setup is Starlink into the WAN port and a PC connected directly to the LAN port.
Thanks,
Adam -
Sounds like it might be a bad subnet mask perhaps or an MTU issue.
Can you show us the routing table?How does it fail on the sites you cannot ping? What error is shown?
Which DNS server are failing?
-
@stephenw10 said in Starlink problem with SG2440 22.05:
Sounds like it might be a bad subnet mask perhaps or an MTU issue.
Can you show us the routing table?How does it fail on the sites you cannot ping? What error is shown?
Which DNS server are failing?
I did a factory reset on the 2440 (not a fresh install) and did not change any settings. Previously I had tried Google DNS and OpenDNS, this time I left everything, so DNS is whatever Starlink uses. Rebooted the 2440 and Starlink. Here are screenshots which I hope will be helpful:
(IP of www.netgate.com)
Adam -
@a-bursell Since our main website is hosted a third-party platform what do you get when you try to look up the CNAME listed above?
1826203.group3.sites.hubspot.net? -
@rcoleman-netgate said in Starlink problem with SG2440 22.05:
@a-bursell Since our main website is hosted a third-party platform what do you get when you try to look up the CNAME listed above?
1826203.group3.sites.hubspot.net?
-
Hmm, so the Starlink router is unable to resolve netgate.com.
What do you have the dns preference set to in Sys > General Setup?
I assume Unbound is still set in resolving mode?
Steve
-
@stephenw10 said in Starlink problem with SG2440 22.05:
Hmm, so the Starlink router is unable to resolve netgate.com.
What do you have the dns preference set to in Sys > General Setup?
I assume Unbound is still set in resolving mode?
Steve
No changes from factory defaults (except the time zone in case having the correct time on something was important for troubleshooting).
-
Hmm, so it should still be able resolve it then since Unbound is doing to. But the firewall is still unable to check for updates?
At the command line try running:
pkg -d update
What errors does it return?Are clients connected to the LAN able to ping or resolve netgate.com?
Steve
-
@stephenw10 said in Starlink problem with SG2440 22.05:
Hmm, so it should still be able resolve it then since Unbound is doing to. But the firewall is still unable to check for updates?
At the command line try running:
pkg -d update
What errors does it return?Are clients connected to the LAN able to ping or resolve netgate.com?
Steve
Thanks again for the help.
When trying to ping netgate.com from the PC client I just get a could not find host error. If I try to ping by the IP 199.60.103.226 I get good replies with no loss, but then when pinging 1826203.group3.sites.hubspot.net again I get a could not find host error.
When I run the package update command it took a long time ultimately errored out. Here is what it looks like:
[22.05-RELEASE][root@pfSense.home.arpa]/root: pkg -d update
DBG(1)[50074]> pkg initialized
Updating pfSense-core repository catalogue...
DBG(1)[50074]> PkgRepo: verifying update for pfSense-core
DBG(1)[50074]> PkgRepo: need forced update of pfSense-core
DBG(1)[50074]> Pkgrepo, begin update of '/var/db/pkg/repo-pfSense-core.sqlite'
DBG(1)[50074]> Request to fetch pkg+https://firmware.netgate.com/pkg/pfSense_plus-v22_05_amd64-core/meta.conf
DBG(1)[50074]> opening libfetch fetcher
DBG(1)[50074]> Fetch > libfetch: connecting
DBG(1)[50074]> Fetch: fetching from: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-core/meta.conf with opts "i"
DBG(1)[50074]> Fetch: fetching from: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-core/meta.conf with opts "i"
DBG(1)[50074]> Fetch: fetching from: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-core/meta.conf with opts "i"
DBG(1)[50074]> Request to fetch pkg+https://firmware.netgate.com/pkg/pfSense_plus-v22_05_amd64-core/meta.txz
DBG(1)[50074]> opening libfetch fetcher
DBG(1)[50074]> Fetch > libfetch: connecting
DBG(1)[50074]> Fetch: fetching from: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-core/meta.txz with opts "i"
DBG(1)[50074]> Fetch: fetching from: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-core/meta.txz with opts "i"
DBG(1)[50074]> Fetch: fetching from: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-core/meta.txz with opts "i"
pkg: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-core/meta.txz: Authentication error
repository pfSense-core has no meta file, using default settings
DBG(1)[50074]> Request to fetch pkg+https://firmware.netgate.com/pkg/pfSense_plus-v22_05_amd64-core/packagesite.pkg
DBG(1)[50074]> opening libfetch fetcher
DBG(1)[50074]> Fetch > libfetch: connecting
DBG(1)[50074]> Fetch: fetching from: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-core/packagesite.pkg with opts "i"
DBG(1)[50074]> Fetch: fetching from: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-core/packagesite.pkg with opts "i"
DBG(1)[50074]> Fetch: fetching from: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-core/packagesite.pkg with opts "i"
pkg: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-core/packagesite.pkg: Authentication error
DBG(1)[50074]> Request to fetch pkg+https://firmware.netgate.com/pkg/pfSense_plus-v22_05_amd64-core/packagesite.txz
DBG(1)[50074]> opening libfetch fetcher
DBG(1)[50074]> Fetch > libfetch: connecting
DBG(1)[50074]> Fetch: fetching from: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-core/packagesite.txz with opts "i"
DBG(1)[50074]> Fetch: fetching from: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-core/packagesite.txz with opts "i"
DBG(1)[50074]> Fetch: fetching from: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-core/packagesite.txz with opts "i"
pkg: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-core/packagesite.txz: Authentication error
Unable to update repository pfSense-core
Updating pfSense repository catalogue...
DBG(1)[50074]> PkgRepo: verifying update for pfSense
DBG(1)[50074]> PkgRepo: need forced update of pfSense
DBG(1)[50074]> Pkgrepo, begin update of '/var/db/pkg/repo-pfSense.sqlite'
DBG(1)[50074]> Request to fetch pkg+https://firmware.netgate.com/pkg/pfSense_plus-v22_05_amd64-pfSense_plus_v22_05/meta.conf
DBG(1)[50074]> opening libfetch fetcher
DBG(1)[50074]> Fetch > libfetch: connecting
DBG(1)[50074]> Fetch: fetching from: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-pfSense_plus_v22_05/meta.conf with opts "i"
DBG(1)[50074]> Fetch: fetching from: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-pfSense_plus_v22_05/meta.conf with opts "i"
DBG(1)[50074]> Fetch: fetching from: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-pfSense_plus_v22_05/meta.conf with opts "i"
DBG(1)[50074]> Request to fetch pkg+https://firmware.netgate.com/pkg/pfSense_plus-v22_05_amd64-pfSense_plus_v22_05/meta.txz
DBG(1)[50074]> opening libfetch fetcher
DBG(1)[50074]> Fetch > libfetch: connecting
DBG(1)[50074]> Fetch: fetching from: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-pfSense_plus_v22_05/meta.txz with opts "i"
DBG(1)[50074]> Fetch: fetching from: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-pfSense_plus_v22_05/meta.txz with opts "i"
DBG(1)[50074]> Fetch: fetching from: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-pfSense_plus_v22_05/meta.txz with opts "i"
pkg: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-pfSense_plus_v22_05/meta.txz: Authentication error
repository pfSense has no meta file, using default settings
DBG(1)[50074]> Request to fetch pkg+https://firmware.netgate.com/pkg/pfSense_plus-v22_05_amd64-pfSense_plus_v22_05/packagesite.pkg
DBG(1)[50074]> opening libfetch fetcher
DBG(1)[50074]> Fetch > libfetch: connecting
DBG(1)[50074]> Fetch: fetching from: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-pfSense_plus_v22_05/packagesite.pkg with opts "i"
DBG(1)[50074]> Fetch: fetching from: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-pfSense_plus_v22_05/packagesite.pkg with opts "i"
DBG(1)[50074]> Fetch: fetching from: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-pfSense_plus_v22_05/packagesite.pkg with opts "i"
pkg: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-pfSense_plus_v22_05/packagesite.pkg: Authentication error
DBG(1)[50074]> Request to fetch pkg+https://firmware.netgate.com/pkg/pfSense_plus-v22_05_amd64-pfSense_plus_v22_05/packagesite.txz
DBG(1)[50074]> opening libfetch fetcher
DBG(1)[50074]> Fetch > libfetch: connecting
DBG(1)[50074]> Fetch: fetching from: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-pfSense_plus_v22_05/packagesite.txz with opts "i"
DBG(1)[50074]> Fetch: fetching from: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-pfSense_plus_v22_05/packagesite.txz with opts "i"
DBG(1)[50074]> Fetch: fetching from: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-pfSense_plus_v22_05/packagesite.txz with opts "i"
pkg: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-pfSense_plus_v22_05/packagesite.txz: Authentication error
Unable to update repository pfSense
Error updating repositories!Adam
-
This seems like a Starlink DNS fail. Under settings/General Setup if you uncheck Allow DNS override and then add DNS servers like 1.1.1.1 and 9.9.9.9 does it work now??
-
@jeff3820 said in Starlink problem with SG2440 22.05:
This seems like a Starlink DNS fail. Under settings/General Setup if you uncheck Allow DNS override and then add DNS servers like 1.1.1.1 and 9.9.9.9 does it work now??
I had previously had other DNS servers in there and changed the setting to force using external DNS instead of local. No change there. Same results.
So basically when I plug Starlink into another router like my Netgear, DNS everything works fine. But when I plug it in pfSense, DNS fails - sort of. I can translate some addresses but I can't actually get out.
-
Test using https://testdns.fr/ and look for netgate.com
Your browser should be able to contact all 13 root servers.
And at least one TLD that hosts '.com'
If success,, follow the link after "Result"@jeff3820 said in Starlink problem with SG2440 22.05:
This seems like a Starlink DNS fail
Your not using Starlinks DNS.
Default, pfSense resolves.You saw the 13 a.root-servers.net ..... m.root-servers.net servers above ?
These are the actual official Internet DNS servers.
These 13 servers can telle you where all the TLD servers are.
And the TLS servers now how to find a domainname server, the iones that can tell you all about "netgate.com"Not having access to at least one root "X.root-servers.net means" your connection is .... well, I call it very bad. I don't believe that Starlink would be blocking access to any 13 of them, but, who knows ...
Default, pfSense doesn't care if an upstream router offers DNS facilities (handed over when it did a DHCP lease request on WAN) : it use the original root servers to drill down to domain name server your looking for.
I can imagine that the Starlink router intercepts DNS UDP and TCP request on its LAN ports, so it redirects (== forwards) them to a Starlink DNS, because they want you to take the shortest path (and they want your DNS data as that means revenue for them).
But thi sis me just thinking out loud.Most, if not all Youttube "Starlink + pfSense" disable resolving, and will (all) use the forwarding mode. I'm not sure if this is needed, or if all the video author received a financial participation from 8.8.8.8 etc.
I saw a video and redit post where the Starlink router isn't even needed : I would prefer such a setup.
-
Hellol!
I have several round starlink dishes running through sg-1100's.
Some are on 21.05.2 and others are on 22.05.
All are running the starlink equipment in router mode (double nat). Bridging was flaky.
All are running the dns resolver. No forwarding.
All interfaces connected to starlink have the IPv6 Configuration Type set to NONE.I am not seeing any issues resolving netgate.com or any other names. The connections have been stable.
Have you checked your connection stats and outages?
John
-
@a-bursell said in Starlink problem with SG2440 22.05:
DBG(1)[50074]> Fetch: fetching from: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-pfSense_plus_v22_05/meta.txz with opts "i"
pkg: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-pfSense_plus_v22_05/meta.txz: Authentication errorThis is odd since there is no authentication on that server. One explanation might be that the clock on your 2440 is so far out the server cert appears invalid. Is that possible?
That would also break DNSSec (which is enabled by default) for all DNS servers that support it.Try disabling DNSSec in the Resolver settings.
Steve
-
@gertjan said in Starlink problem with SG2440 22.05:
netgate.com
Thanks - I tried. I can't even get out to the DNS test site you linked. I cannot get anywhere with a web browser. I have tried running with pfSense DNS and with forcing outside DNS servers and it fails the same. BUT, if I use another router it works fine. This leads me to believe the problem is in pfSense. The earlier StarLinks could be used without their router - this is a v2 so it is required unfortunately. I would have preferred that as well.
@serbus said in Starlink problem with SG2440 22.05:
Hellol!
I have several round starlink dishes running through sg-1100's.
Some are on 21.05.2 and others are on 22.05.
All are running the starlink equipment in router mode (double nat). Bridging was flaky.
All are running the dns resolver. No forwarding.
All interfaces connected to starlink have the IPv6 Configuration Type set to NONE.I am not seeing any issues resolving netgate.com or any other names. The connections have been stable.
Have you checked your connection stats and outages?
John
Thanks - but it's not an outage issue. It instantly starts working if I swap router for an old Netgear I have here. When I put the SG2440 in, it fails like this every time. And I swap to the other router and it works again.
Adam
-
@stephenw10 said in Starlink problem with SG2440 22.05:
@a-bursell said in Starlink problem with SG2440 22.05:
DBG(1)[50074]> Fetch: fetching from: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-pfSense_plus_v22_05/meta.txz with opts "i"
pkg: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-pfSense_plus_v22_05/meta.txz: Authentication errorThis is odd since there is no authentication on that server. One explanation might be that the clock on your 2440 is so far out the server cert appears invalid. Is that possible?
That would also break DNSSec (which is enabled by default) for all DNS servers that support it.Try disabling DNSSec in the Resolver settings.
Steve
Thanks. I checked and the time is exactly right - pfSense is seeing the correct time and date. I disabled DNSSec anyway - no change.
Also, just for the heck of it, I went back and changed pfSense to ignore local DNS and use remote DNS - which had no change, and then I forced the DNS on the client to a remote DNS (8.8.8.8) and no change again.
Adam
