Starlink problem with SG2440 22.05

A.Bursell

@stephenw10 said in Starlink problem with SG2440 22.05:

@a-bursell said in Starlink problem with SG2440 22.05:

DBG(1)[50074]> Fetch: fetching from: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-pfSense_plus_v22_05/meta.txz with opts "i"
pkg: https://pkg01-atx.netgate.com/pkg/pfSense_plus-v22_05_amd64-pfSense_plus_v22_05/meta.txz: Authentication error

This is odd since there is no authentication on that server. One explanation might be that the clock on your 2440 is so far out the server cert appears invalid. Is that possible?
That would also break DNSSec (which is enabled by default) for all DNS servers that support it.

Try disabling DNSSec in the Resolver settings.

Steve

Thanks. I checked and the time is exactly right - pfSense is seeing the correct time and date. I disabled DNSSec anyway - no change.

Also, just for the heck of it, I went back and changed pfSense to ignore local DNS and use remote DNS - which had no change, and then I forced the DNS on the client to a remote DNS (8.8.8.8) and no change again.

Adam

stephenw10

Can that client can ping 8.8.8.8?

Do you see states in pfSense to 8.8.8.8 on port 53 from the client?

A.Bursell

@stephenw10 said in Starlink problem with SG2440 22.05:

Can that client can ping 8.8.8.8?

Do you see states in pfSense to 8.8.8.8 on port 53 from the client?

Client can ping 8.8.8.8 and 1.1.1.1 and 9.9.9.9 ok. Can also ping www.google.com and www.ebay.com -- but cannot ping other addresses like www.netgate.com for example.

Don't have enough knowledge of states, but here is what it looks like for the client to 8.8.8.8 on port 53:

Adam

stephenw10

Hmm, weird. States look good. It's clearly resolving some things.

What's the actual error you see when you try to ping netgate.com from the client?

A.Bursell

@stephenw10 said in Starlink problem with SG2440 22.05:

Hmm, weird. States look good. It's clearly resolving some things.

What's the actual error you see when you try to ping netgate.com from the client?

Not real informative, but it's the usual error...

stephenw10

It does imply it is not resolvable though. Which is odd. 8.8.8.8 should be able to resolve that and we can see it is reachable.

Something local on that client maybe? Some filtering?

Try running a pcap for traffic to/from 8.8.8.8 on the LAN and then try to ping www.netgate.com and see if it's actually sending the query.

Steve

A.Bursell

@stephenw10 said in Starlink problem with SG2440 22.05:

It does imply it is not resolvable though. Which is odd. 8.8.8.8 should be able to resolve that and we can see it is reachable.

Something local on that client maybe? Some filtering?

Try running a pcap for traffic to/from 8.8.8.8 on the LAN and then try to ping www.netgate.com and see if it's actually sending the query.

Steve

Steve,

Thanks again for continuing to try to help. I don't think it's a client issue, remember I tried the DNS lookups on pfSense and they failed there was well- for SOME sites. And of course when I swap pfSense for the other router everything works as it should on the client.

I don't know why, and I know I shouldn't have to, but I'm tempted to try a fresh install of pfSense. If it works it won't give us the answer, and of course if it doesn't work I really don't know. But I have that idea in my back pocket if you think it might be time to try that.

I'll run the pcap when I get back in a little bit and report.

Adam

stephenw10

Yup, sometimes a reinstall helps when nothing else does even though it makes no sense. Usually because there was some obscure setting we forgot about! Hard to see what that could be here though.

Steve

serbus

Hello!

Wild guesses...

When swapping routers with the same ip for testing, could there be arp issues?

Can pfsense get a webpage the client cant? Diagnostics -> Command Prompt -> Execute shell command :

curl -s https://www.pfsense.org

curl -s https://www.netgate.com 

John

A.Bursell

@stephenw10 said in Starlink problem with SG2440 22.05:

Yup, sometimes a reinstall helps when nothing else does even though it makes no sense. Usually because there was some obscure setting we forgot about! Hard to see what that could be here though.

Steve

Thanks - I think I'm getting to that point now.

@serbus said in Starlink problem with SG2440 22.05:

Hello!

Wild guesses...

When swapping routers with the same ip for testing, could there be arp issues?

Can pfsense get a webpage the client cant? Diagnostics -> Command Prompt -> Execute shell command :

curl -s https://www.pfsense.org

curl -s https://www.netgate.com 

John

The routers actually have different IPs - never really thought about that mattering. The pfSense is 192.168.2.1 and the Netgear is 10.0.0.1.

I tried both of those commands and just saw a shell output command at the top with the same command. I tried it in Putty and again didn't see anything. Not sure what I was supposed to see?

Adam

A.Bursell

Went with the nuclear option and did a fresh install of pfSense 2.6 (can't go to 22.05 unless I get out of the local network). NO CHANGE. I didn't touch any settings except the time, and it is exactly the same. No errors during install, everything looks exactly like it should, but I have the exact same problem.

What do I do now?

Is it possible there is some type of hardware incompatibility? This is an SG2440 -- it just works and has worked on everything I've ever used it on for years. And it still works -- just not with my Starlink.

Thoughts?

Adam

serbus

Hello!

The curl command should show the html served up by the address. No output could mean a lookup error. Verify by using the -sv switch with curl.

This thread talks about putting a switch between the starlink v2 ethernet adapter and the customer router to solve a similar (?) problem. Worth a try...

John

A.Bursell

@serbus said in Starlink problem with SG2440 22.05:

Hello!

The curl command should show the html served up by the address. No output could mean a lookup error. Verify by using the -sv switch with curl.

This thread talks about putting a switch between the starlink v2 ethernet adapter and the customer router to solve a similar (?) problem. Worth a try...

John

Well I don't even ... sure enough that thread sounds like exactly the same problem except with a Netgear router (ironiclly my Netgear router works fine), and I did a quick search and even saw the same thing with a Peplink router. There are probably more. I'm going to try the extra switch when I get back later. I don't know why or how it would work, or what the poitential consequences might be, if any, but it's for sure worth a shot.
Thanks,
Adam

A.Bursell

@serbus
I'm genuinely surprised, but sure enough- I put a simple unmanaged switch in-between the Starlink and pfSense and it instantly started working. Don't really understand it except that there must be some type of hardware issue with Starlink that conflicts with certain brands of routers? Suppose it could be software too but definitely a Starlink issue. My next stop will be trying to send info to their tech support and getting them to listen and understand. I don't like the idea of having an extra unnecessary switch installed there.

Thank you everyone for your help!
Adam

stephenw10

Hmm, really weird. Hard to see how that could possibly affect some DNS queries only...

serbus

Hello!

For reference, here is a teardown of the starlink ethernet adapter. Maybe there is a workaround other than a switch.

John

A.Bursell

Update! I heard back from Starlink. They were nice enough to let me know I should only have one router in my network and sent instructions on how to change DNS addresses. I reopened the ticket, explained again, and asked for it to be escalated to a higher tier support so it can be sent to hardware engineering. We will see.
Adam