Issues after upgrading to 23.01
-
Upgraded my Netgate 3100 to 23.01. Everything seems okay, except we’re having trouble loading certain websites, Netgate.com does not load, and Speedtest.net has been sketchy, either won’t load or perform or full test. Have tried looking at DNS settings but can’t seem to resolve the issues? Weirdly, can get to Apple.com and BBC.com (although they are slow to load)?
Any pointers? Have tried adding relevant Patches in System Patches (and rebooting).
-
@digitalvt There are several threads about DNS issues. If you are forwarding, disable DNSSEC and if that doesn’t work disable DNS over TLS.
-
Mmm, how does it fail, what error is shown?
-
For instance, forum.netgate.com, I’m getting This site can’t be reached
-
But what's the actual error shown? It just isn't repsonding? It cannot be resolved?
Can you ping the same FQDN?
-
I’ve just performed a Factory Reset and then Restored from the previous backup from this morning. And still get issues.
I’m getting “The site can’t be reached”, netgate.com took too long to respond.
Err_Timed_Out.Same for forum.netgate.com.
But oddly, BBC.com and Apple.com are reached okay and load okay!?
-
@digitalvt Browser errors can be multiple things. For example I've seen reports of Comcast outages this morning.
Verify it's a DNS issue by running "nslookup netgate.com" (and other hostnames) on your PC.
Did you look at my suggested settings?
-
@steveits
Thanks Steve.
I don’t have DNS forwarder enabled. Have unticked Enable DNSSEC Support in DNS Resolver.Performed a DNS Lookup (within pfsense) of Newgate.com and I get 199.60.103.4, of which I can ping. But I cannot ping netgate.com, it cannot be resolved?
-
@digitalvt I meant, forwarding from the DNS Resolver settings. DNSSEC is apparently problematic while forwarding, and while it seemingly worked fine in previous versions several people report failures in 23.01.
199.60.103.4 is the IP I get. Did you try a DNS lookup from your PC? nslookup will also show what DNS server that PC is using...
-
I would expect to see 'site cannot be resolved' or similar if it's a DNS issue. Easy to test though, just try to ping one of the sites that's failing and see what the error is. If there is one.
-
It seemed a weird issue, I could navigate to the bbc.com, apple.com but netgate.com and this forum I could not resolve. I could ping those addresses.
I unticked the DNSSEC support, which gave me the above results.
So, just for laughs and giggles, I Factory Reset pFsense and manually inputted the barest setups and went and unticked the DNSSEC support button and ALL was GOOD. Could get everywhere.
Am assuming that since this has been an old setup that I have added and added (for over 10 years), that along the way there is something not quite right, an issue buried long ago that has now bitten me on the bum.
So, am going to take this opportunity to (almost) start again, I've been able to re-import restore areas, such as OpenVPN (although I need to add new user certificates ).
Oh well. Thanks all for your kind help!
Ian
