Starlink problem with SG2440 22.05
-
@stephenw10 said in Starlink problem with SG2440 22.05:
Hmm, so it should still be able resolve it then since Unbound is doing to. But the firewall is still unable to check for updates?
At the command line try running:
pkg -d update
What errors does it return?Are clients connected to the LAN able to ping or resolve netgate.com?
Steve
Thanks again for the help.
When trying to ping netgate.com from the PC client I just get a could not find host error. If I try to ping by the IP 199.60.103.226 I get good replies with no loss, but then when pinging 1826203.group3.sites.hubspot.net again I get a could not find host error.
When I run the package update command it took a long time ultimately errored out. Here is what it looks like:
[22.05-RELEASE][root@pfSense.home.arpa]/root: pkg -d update
DBG(1)[50074]> pkg initialized
Updating pfSense-core repository catalogue...
DBG(1)[50074]> PkgRepo: verifying update for pfSense-core
DBG(1)[50074]> PkgRepo: need forced update of pfSense-core
DBG(1)[50074]> Pkgrepo, begin update of '/var/db/pkg/repo-pfSense-core.sqlite'
DBG(1)[50074]> Request to fetch pkg+https://firmware.netgate.com/pkg/pfSense_plus-v22_05_amd64-core/meta.conf
DBG(1)[50074]> opening libfetch fetcher
DBG(1)[50074]> Fetch > libfetch: connecting
DBG(1)[50074]> Fetch: fetching from: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-core/meta.conf with opts "i"
DBG(1)[50074]> Fetch: fetching from: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-core/meta.conf with opts "i"
DBG(1)[50074]> Fetch: fetching from: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-core/meta.conf with opts "i"
DBG(1)[50074]> Request to fetch pkg+https://firmware.netgate.com/pkg/pfSense_plus-v22_05_amd64-core/meta.txz
DBG(1)[50074]> opening libfetch fetcher
DBG(1)[50074]> Fetch > libfetch: connecting
DBG(1)[50074]> Fetch: fetching from: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-core/meta.txz with opts "i"
DBG(1)[50074]> Fetch: fetching from: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-core/meta.txz with opts "i"
DBG(1)[50074]> Fetch: fetching from: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-core/meta.txz with opts "i"
pkg: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-core/meta.txz: Authentication error
repository pfSense-core has no meta file, using default settings
DBG(1)[50074]> Request to fetch pkg+https://firmware.netgate.com/pkg/pfSense_plus-v22_05_amd64-core/packagesite.pkg
DBG(1)[50074]> opening libfetch fetcher
DBG(1)[50074]> Fetch > libfetch: connecting
DBG(1)[50074]> Fetch: fetching from: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-core/packagesite.pkg with opts "i"
DBG(1)[50074]> Fetch: fetching from: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-core/packagesite.pkg with opts "i"
DBG(1)[50074]> Fetch: fetching from: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-core/packagesite.pkg with opts "i"
pkg: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-core/packagesite.pkg: Authentication error
DBG(1)[50074]> Request to fetch pkg+https://firmware.netgate.com/pkg/pfSense_plus-v22_05_amd64-core/packagesite.txz
DBG(1)[50074]> opening libfetch fetcher
DBG(1)[50074]> Fetch > libfetch: connecting
DBG(1)[50074]> Fetch: fetching from: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-core/packagesite.txz with opts "i"
DBG(1)[50074]> Fetch: fetching from: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-core/packagesite.txz with opts "i"
DBG(1)[50074]> Fetch: fetching from: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-core/packagesite.txz with opts "i"
pkg: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-core/packagesite.txz: Authentication error
Unable to update repository pfSense-core
Updating pfSense repository catalogue...
DBG(1)[50074]> PkgRepo: verifying update for pfSense
DBG(1)[50074]> PkgRepo: need forced update of pfSense
DBG(1)[50074]> Pkgrepo, begin update of '/var/db/pkg/repo-pfSense.sqlite'
DBG(1)[50074]> Request to fetch pkg+https://firmware.netgate.com/pkg/pfSense_plus-v22_05_amd64-pfSense_plus_v22_05/meta.conf
DBG(1)[50074]> opening libfetch fetcher
DBG(1)[50074]> Fetch > libfetch: connecting
DBG(1)[50074]> Fetch: fetching from: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-pfSense_plus_v22_05/meta.conf with opts "i"
DBG(1)[50074]> Fetch: fetching from: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-pfSense_plus_v22_05/meta.conf with opts "i"
DBG(1)[50074]> Fetch: fetching from: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-pfSense_plus_v22_05/meta.conf with opts "i"
DBG(1)[50074]> Request to fetch pkg+https://firmware.netgate.com/pkg/pfSense_plus-v22_05_amd64-pfSense_plus_v22_05/meta.txz
DBG(1)[50074]> opening libfetch fetcher
DBG(1)[50074]> Fetch > libfetch: connecting
DBG(1)[50074]> Fetch: fetching from: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-pfSense_plus_v22_05/meta.txz with opts "i"
DBG(1)[50074]> Fetch: fetching from: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-pfSense_plus_v22_05/meta.txz with opts "i"
DBG(1)[50074]> Fetch: fetching from: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-pfSense_plus_v22_05/meta.txz with opts "i"
pkg: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-pfSense_plus_v22_05/meta.txz: Authentication error
repository pfSense has no meta file, using default settings
DBG(1)[50074]> Request to fetch pkg+https://firmware.netgate.com/pkg/pfSense_plus-v22_05_amd64-pfSense_plus_v22_05/packagesite.pkg
DBG(1)[50074]> opening libfetch fetcher
DBG(1)[50074]> Fetch > libfetch: connecting
DBG(1)[50074]> Fetch: fetching from: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-pfSense_plus_v22_05/packagesite.pkg with opts "i"
DBG(1)[50074]> Fetch: fetching from: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-pfSense_plus_v22_05/packagesite.pkg with opts "i"
DBG(1)[50074]> Fetch: fetching from: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-pfSense_plus_v22_05/packagesite.pkg with opts "i"
pkg: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-pfSense_plus_v22_05/packagesite.pkg: Authentication error
DBG(1)[50074]> Request to fetch pkg+https://firmware.netgate.com/pkg/pfSense_plus-v22_05_amd64-pfSense_plus_v22_05/packagesite.txz
DBG(1)[50074]> opening libfetch fetcher
DBG(1)[50074]> Fetch > libfetch: connecting
DBG(1)[50074]> Fetch: fetching from: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-pfSense_plus_v22_05/packagesite.txz with opts "i"
DBG(1)[50074]> Fetch: fetching from: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-pfSense_plus_v22_05/packagesite.txz with opts "i"
DBG(1)[50074]> Fetch: fetching from: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-pfSense_plus_v22_05/packagesite.txz with opts "i"
pkg: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-pfSense_plus_v22_05/packagesite.txz: Authentication error
Unable to update repository pfSense
Error updating repositories!Adam
-
This seems like a Starlink DNS fail. Under settings/General Setup if you uncheck Allow DNS override and then add DNS servers like 1.1.1.1 and 9.9.9.9 does it work now??
-
@jeff3820 said in Starlink problem with SG2440 22.05:
This seems like a Starlink DNS fail. Under settings/General Setup if you uncheck Allow DNS override and then add DNS servers like 1.1.1.1 and 9.9.9.9 does it work now??
I had previously had other DNS servers in there and changed the setting to force using external DNS instead of local. No change there. Same results.
So basically when I plug Starlink into another router like my Netgear, DNS everything works fine. But when I plug it in pfSense, DNS fails - sort of. I can translate some addresses but I can't actually get out.
-
Test using https://testdns.fr/ and look for netgate.com
Your browser should be able to contact all 13 root servers.
And at least one TLD that hosts '.com'
If success,, follow the link after "Result"@jeff3820 said in Starlink problem with SG2440 22.05:
This seems like a Starlink DNS fail
Your not using Starlinks DNS.
Default, pfSense resolves.You saw the 13 a.root-servers.net ..... m.root-servers.net servers above ?
These are the actual official Internet DNS servers.
These 13 servers can telle you where all the TLD servers are.
And the TLS servers now how to find a domainname server, the iones that can tell you all about "netgate.com"Not having access to at least one root "X.root-servers.net means" your connection is .... well, I call it very bad. I don't believe that Starlink would be blocking access to any 13 of them, but, who knows ...
Default, pfSense doesn't care if an upstream router offers DNS facilities (handed over when it did a DHCP lease request on WAN) : it use the original root servers to drill down to domain name server your looking for.
I can imagine that the Starlink router intercepts DNS UDP and TCP request on its LAN ports, so it redirects (== forwards) them to a Starlink DNS, because they want you to take the shortest path (and they want your DNS data as that means revenue for them).
But thi sis me just thinking out loud.Most, if not all Youttube "Starlink + pfSense" disable resolving, and will (all) use the forwarding mode. I'm not sure if this is needed, or if all the video author received a financial participation from 8.8.8.8 etc.
I saw a video and redit post where the Starlink router isn't even needed : I would prefer such a setup.
-
Hellol!
I have several round starlink dishes running through sg-1100's.
Some are on 21.05.2 and others are on 22.05.
All are running the starlink equipment in router mode (double nat). Bridging was flaky.
All are running the dns resolver. No forwarding.
All interfaces connected to starlink have the IPv6 Configuration Type set to NONE.I am not seeing any issues resolving netgate.com or any other names. The connections have been stable.
Have you checked your connection stats and outages?
John
-
@a-bursell said in Starlink problem with SG2440 22.05:
DBG(1)[50074]> Fetch: fetching from: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-pfSense_plus_v22_05/meta.txz with opts "i"
pkg: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-pfSense_plus_v22_05/meta.txz: Authentication errorThis is odd since there is no authentication on that server. One explanation might be that the clock on your 2440 is so far out the server cert appears invalid. Is that possible?
That would also break DNSSec (which is enabled by default) for all DNS servers that support it.Try disabling DNSSec in the Resolver settings.
Steve
-
@gertjan said in Starlink problem with SG2440 22.05:
netgate.com
Thanks - I tried. I can't even get out to the DNS test site you linked. I cannot get anywhere with a web browser. I have tried running with pfSense DNS and with forcing outside DNS servers and it fails the same. BUT, if I use another router it works fine. This leads me to believe the problem is in pfSense. The earlier StarLinks could be used without their router - this is a v2 so it is required unfortunately. I would have preferred that as well.
@serbus said in Starlink problem with SG2440 22.05:
Hellol!
I have several round starlink dishes running through sg-1100's.
Some are on 21.05.2 and others are on 22.05.
All are running the starlink equipment in router mode (double nat). Bridging was flaky.
All are running the dns resolver. No forwarding.
All interfaces connected to starlink have the IPv6 Configuration Type set to NONE.I am not seeing any issues resolving netgate.com or any other names. The connections have been stable.
Have you checked your connection stats and outages?
John
Thanks - but it's not an outage issue. It instantly starts working if I swap router for an old Netgear I have here. When I put the SG2440 in, it fails like this every time. And I swap to the other router and it works again.
Adam
-
@stephenw10 said in Starlink problem with SG2440 22.05:
@a-bursell said in Starlink problem with SG2440 22.05:
DBG(1)[50074]> Fetch: fetching from: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-pfSense_plus_v22_05/meta.txz with opts "i"
pkg: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-pfSense_plus_v22_05/meta.txz: Authentication errorThis is odd since there is no authentication on that server. One explanation might be that the clock on your 2440 is so far out the server cert appears invalid. Is that possible?
That would also break DNSSec (which is enabled by default) for all DNS servers that support it.Try disabling DNSSec in the Resolver settings.
Steve
Thanks. I checked and the time is exactly right - pfSense is seeing the correct time and date. I disabled DNSSec anyway - no change.
Also, just for the heck of it, I went back and changed pfSense to ignore local DNS and use remote DNS - which had no change, and then I forced the DNS on the client to a remote DNS (8.8.8.8) and no change again.
Adam
-
Can that client can ping 8.8.8.8?
Do you see states in pfSense to 8.8.8.8 on port 53 from the client?
-
@stephenw10 said in Starlink problem with SG2440 22.05:
Can that client can ping 8.8.8.8?
Do you see states in pfSense to 8.8.8.8 on port 53 from the client?
Client can ping 8.8.8.8 and 1.1.1.1 and 9.9.9.9 ok. Can also ping www.google.com and www.ebay.com -- but cannot ping other addresses like www.netgate.com for example.
Don't have enough knowledge of states, but here is what it looks like for the client to 8.8.8.8 on port 53:
Adam
-
Hmm, weird. States look good. It's clearly resolving some things.
What's the actual error you see when you try to ping netgate.com from the client?
-
@stephenw10 said in Starlink problem with SG2440 22.05:
Hmm, weird. States look good. It's clearly resolving some things.
What's the actual error you see when you try to ping netgate.com from the client?
Not real informative, but it's the usual error...
-
It does imply it is not resolvable though. Which is odd. 8.8.8.8 should be able to resolve that and we can see it is reachable.
Something local on that client maybe? Some filtering?
Try running a pcap for traffic to/from 8.8.8.8 on the LAN and then try to ping www.netgate.com and see if it's actually sending the query.
Steve
-
@stephenw10 said in Starlink problem with SG2440 22.05:
It does imply it is not resolvable though. Which is odd. 8.8.8.8 should be able to resolve that and we can see it is reachable.
Something local on that client maybe? Some filtering?
Try running a pcap for traffic to/from 8.8.8.8 on the LAN and then try to ping www.netgate.com and see if it's actually sending the query.
Steve
Steve,
Thanks again for continuing to try to help. I don't think it's a client issue, remember I tried the DNS lookups on pfSense and they failed there was well- for SOME sites. And of course when I swap pfSense for the other router everything works as it should on the client.
I don't know why, and I know I shouldn't have to, but I'm tempted to try a fresh install of pfSense. If it works it won't give us the answer, and of course if it doesn't work I really don't know. But I have that idea in my back pocket if you think it might be time to try that.
I'll run the pcap when I get back in a little bit and report.
Adam
-
Yup, sometimes a reinstall helps when nothing else does even though it makes no sense. Usually because there was some obscure setting we forgot about! Hard to see what that could be here though.
Steve
-
Hello!
Wild guesses...
When swapping routers with the same ip for testing, could there be arp issues?
Can pfsense get a webpage the client cant? Diagnostics -> Command Prompt -> Execute shell command :
curl -s https://www.pfsense.orgcurl -s https://www.netgate.comJohn
-
@stephenw10 said in Starlink problem with SG2440 22.05:
Yup, sometimes a reinstall helps when nothing else does even though it makes no sense. Usually because there was some obscure setting we forgot about! Hard to see what that could be here though.
Steve
Thanks - I think I'm getting to that point now.
@serbus said in Starlink problem with SG2440 22.05:
Hello!
Wild guesses...
When swapping routers with the same ip for testing, could there be arp issues?
Can pfsense get a webpage the client cant? Diagnostics -> Command Prompt -> Execute shell command :
curl -s https://www.pfsense.orgcurl -s https://www.netgate.comJohn
The routers actually have different IPs - never really thought about that mattering. The pfSense is 192.168.2.1 and the Netgear is 10.0.0.1.
I tried both of those commands and just saw a shell output command at the top with the same command. I tried it in Putty and again didn't see anything. Not sure what I was supposed to see?
Adam
-
Went with the nuclear option and did a fresh install of pfSense 2.6 (can't go to 22.05 unless I get out of the local network). NO CHANGE. I didn't touch any settings except the time, and it is exactly the same. No errors during install, everything looks exactly like it should, but I have the exact same problem.
What do I do now?
Is it possible there is some type of hardware incompatibility? This is an SG2440 -- it just works and has worked on everything I've ever used it on for years. And it still works -- just not with my Starlink.
Thoughts?
Adam
-
Hello!
The curl command should show the html served up by the address. No output could mean a lookup error. Verify by using the -sv switch with curl.
This thread talks about putting a switch between the starlink v2 ethernet adapter and the customer router to solve a similar (?) problem. Worth a try...
John
-
@serbus said in Starlink problem with SG2440 22.05:
Hello!
The curl command should show the html served up by the address. No output could mean a lookup error. Verify by using the -sv switch with curl.
This thread talks about putting a switch between the starlink v2 ethernet adapter and the customer router to solve a similar (?) problem. Worth a try...
John
Well I don't even ... sure enough that thread sounds like exactly the same problem except with a Netgear router (ironiclly my Netgear router works fine), and I did a quick search and even saw the same thing with a Peplink router. There are probably more. I'm going to try the extra switch when I get back later. I don't know why or how it would work, or what the poitential consequences might be, if any, but it's for sure worth a shot.
Thanks,
Adam
