Unable to check for updates

hugoeyng

hugoeyng

@stephenw10 Hi. How are you?

Some news?

Tom8

Same behavior here.
In my case the second gateway is WAN_DHCP6.
I have to set the default gateway IPv6 to "none", to reach the update page.
Edit: Forgot to mention after update from 2.6 to 2.7!

stephenw10

Does it work from the command line using either? Like:
pkg-static -d4 update
or
pkg-static -d6 update

You can set the firewall to prefer IPv4 in Sys > Adv > Networking if your system cannot use IPv6 for some reason.

Steve

Tom8

@stephenw10
When WAN_DHCP6 is set as second default Gateway:
From Diagnostics > command prompt : pkg-static -d6 update ends in "504 Gateway Timeout"
From SSH: Same, I stopped it....

[2.7.0-RELEASE][admin@pfsense.localdomain]/root: pkg-static -d6 update
DBG(1)[4385]> pkg initialized
Updating pfSense-core repository catalogue...
DBG(1)[4385]> PkgRepo: verifying update for pfSense-core
DBG(1)[4385]> PkgRepo: need forced update of pfSense-core
DBG(1)[4385]> Pkgrepo, begin update of '/var/db/pkg/repo-pfSense-core.sqlite'
DBG(1)[4385]> Request to fetch pkg+https://pkg.pfsense.org/pfSense_v2_7_0_amd64-core/meta.conf
DBG(1)[4385]> opening libfetch fetcher
DBG(1)[4385]> Fetch > libfetch: connecting
DBG(1)[4385]> Fetch: fetching from: https://pkg00-atx.netgate.com/pfSense_v2_7_0_amd64-core/meta.conf with opts "i6"
DBG(1)[4385]> Fetch: fetching from: https://pkg00-atx.netgate.com/pfSense_v2_7_0_amd64-core/meta.conf with opts "i6"
DBG(1)[4385]> Fetch: fetching from: https://pkg00-atx.netgate.com/pfSense_v2_7_0_amd64-core/meta.conf with opts "i6"
DBG(1)[4385]> Request to fetch pkg+https://pkg.pfsense.org/pfSense_v2_7_0_amd64-core/meta.txz
DBG(1)[4385]> opening libfetch fetcher
DBG(1)[4385]> Fetch > libfetch: connecting
DBG(1)[4385]> Fetch: fetching from: https://pkg00-atx.netgate.com/pfSense_v2_7_0_amd64-core/meta.txz with opts "i6"
DBG(1)[4385]> Fetch: fetching from: https://pkg00-atx.netgate.com/pfSense_v2_7_0_amd64-core/meta.txz with opts "i6"
DBG(1)[4385]> Fetch: fetching from: https://pkg00-atx.netgate.com/pfSense_v2_7_0_amd64-core/meta.txz with opts "i6"
pkg-static: https://pkg00-atx.netgate.com/pfSense_v2_7_0_amd64-core/meta.txz: Operation timed out
repository pfSense-core has no meta file, using default settings
DBG(1)[4385]> Request to fetch pkg+https://pkg.pfsense.org/pfSense_v2_7_0_amd64-core/packagesite.pkg
DBG(1)[4385]> opening libfetch fetcher
DBG(1)[4385]> Fetch > libfetch: connecting
DBG(1)[4385]> Fetch: fetching from: https://pkg00-atx.netgate.com/pfSense_v2_7_0_amd64-core/packagesite.pkg with opts "i6"
DBG(1)[4385]> Fetch: fetching from: https://pkg00-atx.netgate.com/pfSense_v2_7_0_amd64-core/packagesite.pkg with opts "i6"
DBG(1)[4385]> Fetch: fetching from: https://pkg00-atx.netgate.com/pfSense_v2_7_0_amd64-core/packagesite.pkg with opts "i6"
pkg-static: https://pkg00-atx.netgate.com/pfSense_v2_7_0_amd64-core/packagesite.pkg: Operation timed out
DBG(1)[4385]> Request to fetch pkg+https://pkg.pfsense.org/pfSense_v2_7_0_amd64-core/packagesite.txz
DBG(1)[4385]> opening libfetch fetcher
DBG(1)[4385]> Fetch > libfetch: connecting
DBG(1)[4385]> Fetch: fetching from: https://pkg00-atx.netgate.com/pfSense_v2_7_0_amd64-core/packagesite.txz with opts "i6"
DBG(1)[4385]> Fetch: fetching from: https://pkg00-atx.netgate.com/pfSense_v2_7_0_amd64-core/packagesite.txz with opts "i6"
DBG(1)[4385]> Fetch: fetching from: https://pkg00-atx.netgate.com/pfSense_v2_7_0_amd64-core/packagesite.txz with opts "i6"
pkg-static: https://pkg00-atx.netgate.com/pfSense_v2_7_0_amd64-core/packagesite.txz: Operation timed out
Unable to update repository pfSense-core
Updating pfSense repository catalogue...
DBG(1)[4385]> PkgRepo: verifying update for pfSense
DBG(1)[4385]> PkgRepo: need forced update of pfSense
DBG(1)[4385]> Pkgrepo, begin update of '/var/db/pkg/repo-pfSense.sqlite'
DBG(1)[4385]> Request to fetch pkg+https://pkg.pfsense.org/pfSense_v2_7_0_amd64-pfSense_v2_7_0/meta.conf
DBG(1)[4385]> opening libfetch fetcher
DBG(1)[4385]> Fetch > libfetch: connecting
DBG(1)[4385]> Fetch: fetching from: https://pkg01-atx.netgate.com/pfSense_v2_7_0_amd64-pfSense_v2_7_0/meta.conf with opts "i6"
DBG(1)[4385]> Fetch: fetching from: https://pkg01-atx.netgate.com/pfSense_v2_7_0_amd64-pfSense_v2_7_0/meta.conf with opts "i6"
DBG(1)[4385]> Fetch: fetching from: https://pkg01-atx.netgate.com/pfSense_v2_7_0_amd64-pfSense_v2_7_0/meta.conf with opts "i6"
DBG(1)[4385]> Request to fetch pkg+https://pkg.pfsense.org/pfSense_v2_7_0_amd64-pfSense_v2_7_0/meta.txz
DBG(1)[4385]> opening libfetch fetcher
DBG(1)[4385]> Fetch > libfetch: connecting
DBG(1)[4385]> Fetch: fetching from: https://pkg01-atx.netgate.com/pfSense_v2_7_0_amd64-pfSense_v2_7_0/meta.txz with opts "i6"
DBG(1)[4385]> Fetch: fetching from: https://pkg01-atx.netgate.com/pfSense_v2_7_0_amd64-pfSense_v2_7_0/meta.txz with opts "i6"
DBG(1)[4385]> Fetch: fetching from: https://pkg01-atx.netgate.com/pfSense_v2_7_0_amd64-pfSense_v2_7_0/meta.txz with opts "i6"
pkg-static: https://pkg01-atx.netgate.com/pfSense_v2_7_0_amd64-pfSense_v2_7_0/meta.txz: Operation timed out
repository pfSense has no meta file, using default settings
DBG(1)[4385]> Request to fetch pkg+https://pkg.pfsense.org/pfSense_v2_7_0_amd64-pfSense_v2_7_0/packagesite.pkg
DBG(1)[4385]> opening libfetch fetcher
DBG(1)[4385]> Fetch > libfetch: connecting
DBG(1)[4385]> Fetch: fetching from: https://pkg01-atx.netgate.com/pfSense_v2_7_0_amd64-pfSense_v2_7_0/packagesite.pkg with opts "i6"
DBG(1)[4385]> Fetch: fetching from: https://pkg01-atx.netgate.com/pfSense_v2_7_0_amd64-pfSense_v2_7_0/packagesite.pkg with opts "i6"
^C

From Diagnostics > command prompt : pkg-static -d4 update works
From SSH:

[2.7.0-RELEASE][admin@pfsense.localdomain]/root: pkg-static -d4 update
DBG(1)[31958]> pkg initialized
Updating pfSense-core repository catalogue...
DBG(1)[31958]> PkgRepo: verifying update for pfSense-core
DBG(1)[31958]> Pkgrepo, begin update of '/var/db/pkg/repo-pfSense-core.sqlite'
DBG(1)[31958]> Request to fetch pkg+https://pkg.pfsense.org/pfSense_v2_7_0_amd64-core/meta.conf
DBG(1)[31958]> opening libfetch fetcher
DBG(1)[31958]> Fetch > libfetch: connecting
DBG(1)[31958]> Fetch: fetching from: https://pkg01-atx.netgate.com/pfSense_v2_7_0_amd64-core/meta.conf with opts "i4"
DBG(1)[31958]> Fetch: fetcher chosen: https
DBG(1)[31958]> Request to fetch pkg+https://pkg.pfsense.org/pfSense_v2_7_0_amd64-core/packagesite.pkg
DBG(1)[31958]> opening libfetch fetcher
DBG(1)[31958]> Fetch > libfetch: connecting
DBG(1)[31958]> Fetch: fetching from: https://pkg01-atx.netgate.com/pfSense_v2_7_0_amd64-core/packagesite.pkg with opts "i4"
DBG(1)[31958]> Fetch: fetcher chosen: https
DBG(1)[31958]> Request to fetch pkg+https://pkg.pfsense.org/pfSense_v2_7_0_amd64-core/packagesite.txz
DBG(1)[31958]> opening libfetch fetcher
DBG(1)[31958]> Fetch > libfetch: connecting
DBG(1)[31958]> Fetch: fetching from: https://pkg01-atx.netgate.com/pfSense_v2_7_0_amd64-core/packagesite.txz with opts "i4"
DBG(1)[31958]> Fetch: fetcher chosen: https
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
DBG(1)[31958]> PkgRepo: verifying update for pfSense
DBG(1)[31958]> PkgRepo: need forced update of pfSense
DBG(1)[31958]> Pkgrepo, begin update of '/var/db/pkg/repo-pfSense.sqlite'
DBG(1)[31958]> Request to fetch pkg+https://pkg.pfsense.org/pfSense_v2_7_0_amd64-pfSense_v2_7_0/meta.conf
DBG(1)[31958]> opening libfetch fetcher
DBG(1)[31958]> Fetch > libfetch: connecting
DBG(1)[31958]> Fetch: fetching from: https://pkg01-atx.netgate.com/pfSense_v2_7_0_amd64-pfSense_v2_7_0/meta.conf with opts "i4"
DBG(1)[31958]> Fetch: fetcher chosen: https
Fetching meta.conf: 100%    163 B   0.2kB/s    00:01
DBG(1)[31958]> Request to fetch pkg+https://pkg.pfsense.org/pfSense_v2_7_0_amd64-pfSense_v2_7_0/packagesite.pkg
DBG(1)[31958]> opening libfetch fetcher
DBG(1)[31958]> Fetch > libfetch: connecting
DBG(1)[31958]> Fetch: fetching from: https://pkg01-atx.netgate.com/pfSense_v2_7_0_amd64-pfSense_v2_7_0/packagesite.pkg with opts "i4"
DBG(1)[31958]> Fetch: fetcher chosen: https
Fetching packagesite.pkg: 100%  155 KiB 159.1kB/s    00:01
DBG(1)[31958]> PkgRepo: extracting packagesite.yaml of repo pfSense
DBG(1)[46734]> PkgRepo: extracting signature of repo in a sandbox
DBG(1)[31958]> Pkgrepo, reading new packagesite.yaml for '/var/db/pkg/repo-pfSense.sqlite'
Processing entries: 100%
pfSense repository update completed. 531 packages processed.
All repositories are up to date.

If I turn off the second gateway, everything is running (except IPv6)

"You can set the firewall to prefer IPv4 in Sys > Adv > Networking if your system cannot use IPv6 for some reason." >>>> I know that, Thank you.

stephenw10

There is IPv6 connectivity to the pkg servers:

[2.7.0-RELEASE][admin@pfsense.fire.box]/root: pkg -d6 update
DBG(1)[65446]> pkg initialized
Updating pfSense-core repository catalogue...
DBG(1)[65446]> PkgRepo: verifying update for pfSense-core
DBG(1)[65446]> Pkgrepo, begin update of '/var/db/pkg/repo-pfSense-core.sqlite'
DBG(1)[65446]> Request to fetch pkg+https://pkg.pfsense.org/pfSense_v2_7_0_amd64-core/meta.conf
DBG(1)[65446]> opening libfetch fetcher
DBG(1)[65446]> Fetch > libfetch: connecting
DBG(1)[65446]> Fetch: fetching from: https://pkg00-atx.netgate.com/pfSense_v2_7_0_amd64-core/meta.conf with opts "i6"
DBG(1)[65446]> Fetch: fetcher chosen: https
DBG(1)[65446]> Request to fetch pkg+https://pkg.pfsense.org/pfSense_v2_7_0_amd64-core/packagesite.pkg
DBG(1)[65446]> opening libfetch fetcher
DBG(1)[65446]> Fetch > libfetch: connecting
DBG(1)[65446]> Fetch: fetching from: https://pkg00-atx.netgate.com/pfSense_v2_7_0_amd64-core/packagesite.pkg with opts "i6"
DBG(1)[65446]> Fetch: fetcher chosen: https
DBG(1)[65446]> Request to fetch pkg+https://pkg.pfsense.org/pfSense_v2_7_0_amd64-core/packagesite.txz
DBG(1)[65446]> opening libfetch fetcher
DBG(1)[65446]> Fetch > libfetch: connecting
DBG(1)[65446]> Fetch: fetching from: https://pkg00-atx.netgate.com/pfSense_v2_7_0_amd64-core/packagesite.txz with opts "i6"
DBG(1)[65446]> Fetch: fetcher chosen: https
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
DBG(1)[65446]> PkgRepo: verifying update for pfSense
DBG(1)[65446]> Pkgrepo, begin update of '/var/db/pkg/repo-pfSense.sqlite'
DBG(1)[65446]> Request to fetch pkg+https://pkg.pfsense.org/pfSense_v2_7_0_amd64-pfSense_v2_7_0/meta.conf
DBG(1)[65446]> opening libfetch fetcher
DBG(1)[65446]> Fetch > libfetch: connecting
DBG(1)[65446]> Fetch: fetching from: https://pkg01-atx.netgate.com/pfSense_v2_7_0_amd64-pfSense_v2_7_0/meta.conf with opts "i6"
DBG(1)[65446]> Fetch: fetcher chosen: https
DBG(1)[65446]> Request to fetch pkg+https://pkg.pfsense.org/pfSense_v2_7_0_amd64-pfSense_v2_7_0/packagesite.pkg
DBG(1)[65446]> opening libfetch fetcher
DBG(1)[65446]> Fetch > libfetch: connecting
DBG(1)[65446]> Fetch: fetching from: https://pkg01-atx.netgate.com/pfSense_v2_7_0_amd64-pfSense_v2_7_0/packagesite.pkg with opts "i6"
DBG(1)[65446]> Fetch: fetcher chosen: https
DBG(1)[65446]> Request to fetch pkg+https://pkg.pfsense.org/pfSense_v2_7_0_amd64-pfSense_v2_7_0/packagesite.txz
DBG(1)[65446]> opening libfetch fetcher
DBG(1)[65446]> Fetch > libfetch: connecting
DBG(1)[65446]> Fetch: fetching from: https://pkg01-atx.netgate.com/pfSense_v2_7_0_amd64-pfSense_v2_7_0/packagesite.txz with opts "i6"
DBG(1)[65446]> Fetch: fetcher chosen: https
pfSense repository is up to date.
All repositories are up to date.

So you have some IPv6 connectivity issue at your firewall.

Steve

Tom8

@stephenw10 But I get an IPv6 Adress and I can ping websites with IPv6.

Ping from WAN to ipv6.google.com:

PING6(56=40+8+8 bytes) 2axx:xxxx:xxxx::xxxx --> 2a00:1450:4016:80c::200e
16 bytes from 2a00:1450:4016:80c::200e, icmp_seq=0 hlim=119 time=19.106 ms
16 bytes from 2a00:1450:4016:80c::200e, icmp_seq=1 hlim=119 time=22.565 ms
16 bytes from 2a00:1450:4016:80c::200e, icmp_seq=2 hlim=119 time=20.170 ms

--- ipv6.l.google.com ping6 statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 19.106/20.614/22.565/1.446 ms

stephenw10

Can you ping the pkg servers though?:

[2.7.0-RELEASE][admin@pfsense.fire.box]/root: ping6 pkg01-atx.netgate.com
PING6(56=40+8+8 bytes) 2a00:23c8:xxxx:xxxx --> 2610:160:11:18::209
16 bytes from 2610:160:11:18::209, icmp_seq=0 hlim=47 time=115.979 ms
16 bytes from 2610:160:11:18::209, icmp_seq=1 hlim=47 time=115.111 ms
16 bytes from 2610:160:11:18::209, icmp_seq=2 hlim=47 time=116.118 ms
^C
--- pkg01-atx.netgate.com ping6 statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 115.111/115.736/116.118/0.446 ms

Tom8

@stephenw10 Yes, no problem

PING6(56=40+8+8 bytes) 2axx:xxxx:xxxx::xxxx --> 2610:160:11:18::209
16 bytes from 2610:160:11:18::209, icmp_seq=0 hlim=48 time=136.690 ms
16 bytes from 2610:160:11:18::209, icmp_seq=1 hlim=48 time=137.275 ms
16 bytes from 2610:160:11:18::209, icmp_seq=2 hlim=48 time=135.759 ms

--- pkg01-atx.netgate.com ping6 statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 135.759/136.575/137.275/0.624 ms

stephenw10

Hmm, curious. You are seeing this consistently? It's not a temporary loading issue at the server end for example? Though I'd expect to see a lot more reports if that was the case.

Maybe an MTU issue in the route?

Can you fetch the file directly?: fetch -6 https://pkg01-atx.netgate.com/pfSense_v2_7_0_amd64-pfSense_v2_7_0/packagesite.txz

Tom8

@stephenw10
I noticed this 3 days ago. Also did a fresh installation to be sure, but nothing changed.

Whats the best way to check MTU?

Fetch doesn´t work:

[2.7.0-RELEASE][admin@pfsense.localdomain]/root: fetch -6 https://pkg01-atx.netgate.com/pfSense_v2_7_0_amd64-pfSense_v2_7_0/packagesite.txz
fetch: https://pkg01-atx.netgate.com/pfSense_v2_7_0_amd64-pfSense_v2_7_0/packagesite.txz: Operation timed out

stephenw10

I ran a pcap for IPv6 traffic on WAN whilst running that fetch and could see the full sized packets.

You can test using ping6 though. 1444B is the largest I can send here:
ping6 -s 1444 pkg01-atx.netgate.com

Tom8

@stephenw10
I just realised that when I ping6 from SSH it uses a diferent IPv6 when I ping6 from GUI.

The point is I always used the Ping tool from GUI, which used the WAN IP. 2a02:8070: .....
But with the option -s I have to use SSH, and there the system uses a diferent IP 2a02:3102: ....
The 2a02:3102: .... doesn´t work with Ping6.
Why?

For MTU test used WAN IP and got 1452 max

stephenw10

Ok, so where is that second IP coming from? Which of those is valid?

I imagine that fetch test would also work if you specify the bind address to the other one.

Tom8

@stephenw10
ifconfig igb0 inet6:

igb0: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
description: WAN
options=4e120bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER,RXCSUM_IPV6,TXCSUM_IPV6,NOMAP>
inet6 fe80::4262:xxxx:xxxx:xxxx%igb0 prefixlen 64 scopeid 0x1
inet6 2a02:3102:xxxx:xx:xxxx:xxxx:xxxx:xxxx prefixlen 64 autoconf
inet6 2a02:3102:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx prefixlen 64 autoconf
inet6 2a02:8070:xxxx::xxxx prefixlen 128
inet6 2a02:8070:xxxx:xx:xxxx:xxxx:xxxx:xxxx prefixlen 64
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>

Found it, but I don´t know what to do

stephenw10

Those are VIPs on the WAN? How is that interface configured for IPv6?

Tom8

@stephenw10

I don´t use VIPs.
ISP is Vodafone cable.
ISP >> TC4400 modem >> PfSense

Screenshot 2023-09-26 154822.png Screenshot 2023-09-26 155047.png Screenshot 2023-09-26 155154.png

stephenw10

Hmm, you have a /59 prefix delegation? That's a very unusual prefix size.

Do you see all those IPs being passed via dhcpv6? That would also be very odd.

Tom8

@stephenw10
After some tests and research it looks like that this is possibly a misconfiguration from my ISP.
I´m obviously not the only one with the problem to have different IPs on WAN.
But thanks for the help stephen!

@hugoeyng
Sorry for hijacking your thread

hugoeyng

@Tom8 said in Unable to check for updates:

is possibly a misconfiguration from my ISP

I agree @Tom8