Upgrade pfsense CE 2.7.0 to 2.7.1
-
@reberhar said in Upgrade pfsense CE 2.7.0 to 2.7.1:
Just the virtual wan ip.
Ah, well that would explain it. The WAN CARP VIP is only ever valid on the master node so a backup node could not use that to send DNS queries.
-
@stephenw10 Yes of course.
So should I include the wan and/or the localhost? I am assuming the wan.
-
It could be either. If you only have one WAN it doesn't really matter. Using localhost as source allows Unbound to use any interface as long NAT rules exist on it (and not to a CARP VIP!).
-
@stephenw10 localhost then. I didn't think about localhost being connected to all the wans.
Thanks,
Roy
-
@reberhar Thanks again Stephen,
It was still a long night fixing these problems at then ends of all my tunnels. The DNS being wrong and the updates being out of sync caused me several unexpected and unanticipated problems with one the pfSense secondary servers, including some certificate errors that the rehash couldn't fix. Some of the udates were interrupted because of the way I had done the DNS and me switching CARP states. I had to wait for the update certificates on the update server to time out. On these distant units I need to be more patient and give time for updates to finish. The latency and the tunnels can cause the update feedback to be lost, eventhough pfSense is still faithfully working along. A server can return, even after a very long wait.
This faithfulness and solidness of pfSense and FreeBSD has always impressed me. The programming must be quite awesome.
Thanks for your help and patience. Would I have figured it out alone? Yes I thinks so, but it is such a help to be able to ask. Research and trial and error work, but it is time consuming. Getting help on key points, however seemingly simple can be a big boost.
Thanks so much. You guys are really great.
-
@reberhar Hi guys, there is still another issue I am researching.
Automatic backup does not show any items in the list, although they appear when I put the key in other installation.
The following error is from a manual backup, not cron.
An error occurred while uploading the encrypted pfSense configuration to https://acb.netgate.com/save (Failed to connect to acb.netgate.com port 443 after 10108 ms: Couldn't connect to server) @ 2023-12-02 13:20:01
The machine in not able to fetch the repo.
pfSense-repoc: failed to fetch the repo data
The only repo that is available is 2.7.1 and that is selected.
DNS works from the gui and the command line, that is nslookup resolves.
ping fails of acb.netgate.com and at the command line it says ...
PING acb.netgate.com (208.123.73.212): 56 data bytes
ping: sendto: Permission denied
ping: sendto: Permission denied
ping: sendto: Permission denied
ping: sendto: Permission denied
ping: sendto: Permission deniedIt can ping other sites.
Static update gives...
[2.7.1-RELEASE][root@srofirewallsecondary.santarosa.sro]/root: pkg-static update -f
Updating pfSense-core repository catalogue...
pkg-static: An error occured while fetching package
pkg-static: An error occured while fetching package
repository pfSense-core has no meta file, using default settings
pkg-static: An error occured while fetching package
pkg-static: An error occured while fetching package
Unable to update repository pfSense-core
Updating pfSense repository catalogue...
pkg-static: An error occured while fetching package
pkg-static: An error occured while fetching package
repository pfSense has no meta file, using default settings
pkg-static: An error occured while fetching package
pkg-static: An error occured while fetching package
Unable to update repository pfSense
Error updating repositories!Rehashing gives ...
[2.7.1-RELEASE][root@srofirewallsecondary.santarosa.sro]/root: certctl rehash
Scanning /usr/share/certs/untrusted for certificates...
Scanning /usr/share/certs/trusted for certificates...
Skipping untrusted certificate /usr/share/certs/trusted/Cybertrust_Global_Root.pem (/etc/ssl/untrusted/76cb8f92.0)
Skipping untrusted certificate /usr/share/certs/trusted/DST_Root_CA_X3.pem (/etc/ssl/untrusted/2e5ac55d.0)
Skipping untrusted certificate /usr/share/certs/trusted/GlobalSign_Root_CA_-_R2.pem (/etc/ssl/untrusted/4a6481c9.0)
Skipping untrusted certificate /usr/share/certs/trusted/Hellenic_Academic_and_Research_Institutions_RootCA_2011.pem (/etc/ssl/untrusted/1636090b.0)
Skipping untrusted certificate /usr/share/certs/trusted/Network_Solutions_Certificate_Authority.pem (/etc/ssl/untrusted/4304c5e5.0)
Skipping untrusted certificate /usr/share/certs/trusted/Staat_der_Nederlanden_EV_Root_CA.pem (/etc/ssl/untrusted/03179a64.0)
Skipping untrusted certificate /usr/share/certs/trusted/TrustCor_ECA-1.pem (/etc/ssl/untrusted/7aaf71c0.0)
Skipping untrusted certificate /usr/share/certs/trusted/TrustCor_RootCert_CA-1.pem (/etc/ssl/untrusted/5d3033c5.0)
Skipping untrusted certificate /usr/share/certs/trusted/TrustCor_RootCert_CA-2.pem (/etc/ssl/untrusted/3e44d2f7.0)
Scanning /usr/local/share/certs for certificates...I tried this update line from the upgrade problem section of netgate forum. I wonder if it is right for 2.7.1. It failed.
[2.7.1-RELEASE][root@srofirewallsecondary.santarosa.sro]/root: fetch -qo /usr/local/share/pfSense/keys/pkg/trusted/ https://raw.githubusercontent.com/pfsense/pfsense/RELENG_2_4_5/src/usr/local/share/pfSense/keys/pkg/trusted/pkg.pfsense.org.20160406
I fetch: transfer timed outI am wondering if I need to do a reinstall. The box about 2500 miles from here the way the plane flies. It is a virtual machine.
Thanks for any help you can offer.
-
@reberhar said in Upgrade pfsense CE 2.7.0 to 2.7.1:
ping: sendto: Permission denied
That implies something locally blocking access. Do you have Snort or Suricata installed with blocking enabled?
Steve
-
@stephenw10 Gosh I should have thought of that. Working late can fry the brain I guess. Lots of little problems too.
Old chinese proverb says, "Many hands make light work."
It was blocked, now I just have to disable the rule that is doing it.
It was complaining of a bad checksum ... hmmm, maybe something to do with the virtual machine or hardware.
Thanks again! I wish I could send you something for Xmas.
Yes things seem to be working now.
Thanks Steve
-
@SteveITS
I was stuck on 2.7.0 with no packages in package manager after a downgrade to 2.7.0 from the Plus version.
I used ssh and ran the certctl rehash command and was able to upgrade to 2.7.2, and all the packages came with it!
Thanks, Steve. -
I looked up to download 2.7.2 but on the official website 2.7.1 is only available.
-
Yup the mirrors will be updated shortly.
-
@stephenw10 My 2.7.2 is up on my servers. One server I had to reboot because DNS did not reach the users, but I think that was an HA/CARP problem. A reboot of the primary server, the one with the problem, fixed that.
On one server, one of the modems went offline. It really was the modem because the cable connection went to autosync. I tried to bounce the connection, but no joy. I had to go to the site and power cycle the (T-Mobile) modem. The ethernet connection connection on the modem itself had disconnected. Really unusual. I am glad I was close by.
Roy
-
@reberhar Oh for bouncing the ethernet connection it is:
ifconfig interface down ; ifconfig interface up
Interface being the interface name, like maybe eth0 or igb0.
If you have only one modem you can use this too. That is why you do both these commands at once. If you do the first one only the port/interface will go offline and you will lose connection to that wan.
Roy
-
Cheers mate.
I only hit this snag when going from 2.7.0 to 2.7.2 on my work CARP cluster, so I missed it in the change notes for 2.7.1, which I have successfully upgraded to on several smaller systems. The update was showing but I usually like to do a pre-emptive reboot before an upgrade on a box with six months uptime. It stopped showing up after the reboot. Rehashing the certs sorted that out.
Well, the secondary is back up so let's fail over to it and see how it goes (I'm at home doing this from the outside!) ...
(edit) ... the primary has rebooted. It too forgot about the 2.7.2 update. I ran the cert rehash twice because I might have not waited long enough the first time - about one minute! I have been using the web GUI Diagnostics -> Command Prompt to run certctl.
... wait for reboot, AD DC still pinging over IPv6 IPSEC VPN ...
... its just come back up.. Leave CARP maint mode ... all good. My monitoring systems (Icinga1 and 2) didn't go berserk, so the 70 odd VPNs held up through out.
-
@stephenw10 I am in the same state followed the same steps too. The only package I recall upgrading on 2.7.0 was pfBlockerNG
My list of installed packages:
darkstat 3.1.3_6
lldpd 0.9.11_2
pfBlockerNG-devel 3.2.0_7
WireGuard 0.2.0_2pkg-static version (with 2.7.0 branch selected)
Updating pfSense-core repository catalogue... Fetching meta.conf: Fetching packagesite.pkg: pfSense-core repository is up to date. Updating pfSense repository catalogue... Fetching meta.conf: Fetching packagesite.pkg: pfSense repository is up to date. All repositories are up to date. beep-1.0_1 = bind-tools-9.18.14 = bsnmp-regex-0.6_2 = bsnmp-ucd-0.4.5 = bwi-firmware-kmod-3.130.20 = ca_root_nss-3.89.1 = ccid-1.5.1 = check_reload_status-0.0.15 = choparp-20150613 = cpdup-1.22 = cpustats-0.1_1 = curl-8.1.0 = cyrus-sasl-2.1.28 = darkstat-3.0.721 = dbus-1.14.6,1 = devcpu-data-20230513 = devcpu-data-amd-20230424 = devcpu-data-intel-20230512 = dhcp6-20080615.2_4 = dhcpleases-0.5_1 = dmidecode-3.5 = dnsmasq-2.89_1,1 = dpinger-3.3 = expat-2.5.0 = expiretable-0.6_2 = filterdns-2.2 = filterlog-0.1_9 = gettext-runtime-0.22_1 > glib-2.76.2,2 = gmp-6.2.1 = gnugrep-3.11 = grepcidr-2.0 = hostapd-2.10_5 = icu-73.2,1 > iftop-1.0.p4 = igmpproxy-0.4,1 = indexinfo-0.3.1 = ipmitool-1.8.18_3 = iprange-1.0.4 = isc-dhcp44-client-4.4.3P1 = isc-dhcp44-relay-4.4.3P1 = isc-dhcp44-server-4.4.3P1 = jansson-2.14 = jq-1.7_1 > json-c-0.16 = ldns-1.8.3 = libargon2-20190702 = libedit-3.1.20221030,1 = libevent-2.1.12 = libffi-3.4.4 = libgcrypt-1.9.4_1 = libgpg-error-1.47 = libiconv-1.17 = libidn2-2.3.4 = libinotify-20211018 = libltdl-2.4.7 = liblz4-1.9.4,1 = libmaxminddb-1.7.1_1 > libmcrypt-2.5.8_3 = libnghttp2-1.52.0 = libpsl-0.21.2_3 = libsodium-1.0.18 = libssh2-1.10.0_1,3 = libucl-0.8.2 = libunistring-1.1 = libuv-1.45.0 = libxml2-2.10.4_1 > libxslt-1.1.37 = lighttpd-1.4.72 > links-2.29,1 = lldpd-1.0.14 = lua-resty-core-0.1.26 = lua-resty-lrucache-0.13 = lua54-5.4.6 > luajit-openresty-2.1.20230410 = lzo2-2.10_1 = minicron-0.0.2 = miniupnpd-2.3.3,1 = mobile-broadband-provider-info-20221107 = mpd5-5.9_16 = mpdecimal-2.5.1 = net-snmp-5.9.1_3,1 = nettle-3.9.1 > nginx-1.24.0_6,3 = nss_ldap-1.265_14 = ntp-4.2.8p15_5 = oniguruma-6.9.8_1 = openldap26-client-2.6.4 = opensc-0.23.0_1 = openvpn-2.6.4 = openvpn-auth-script-1.0.0.3 = pam_ldap-186_1 = pam_mkhomedir-0.2 = pcre-8.45_3 = pcre2-10.42 = pcsc-lite-1.9.9,2 = perl5-5.32.1_3 = pfSense-2.7.0 = pfSense-Status_Monitoring-php82-1.8_3 = pfSense-base-2.7.0 = pfSense-boot-2.7.0 = pfSense-default-config-2.7.0 = pfSense-kernel-pfSense-2.7.0 = pfSense-pkg-WireGuard-0.2.0_2 = pfSense-pkg-darkstat-3.1.3_6 = pfSense-pkg-lldpd-0.9.11_2 = pfSense-pkg-pfBlockerNG-devel-3.2.0_7 > pfSense-rc-2.7.0 = pfSense-repo-2.7.0_2 = pfSense-repoc-20230616 = pfSense-upgrade-1.0_33 = pftop-0.8_2 = php82-8.2.11 > php82-bcmath-8.2.6 = php82-bz2-8.2.6 = php82-ctype-8.2.6 = php82-curl-8.2.6 = php82-dom-8.2.6 = php82-filter-8.2.6 = php82-gettext-8.2.6 = php82-gmp-8.2.6 = php82-intl-8.2.11 > php82-ldap-8.2.6 = php82-mbstring-8.2.6 = php82-opcache-8.2.6 = php82-openssl_x509_crl-1.3_2 = php82-pcntl-8.2.6 = php82-pdo-8.2.6 = php82-pdo_sqlite-8.2.6 = php82-pear-1.10.13 = php82-pear-Auth_RADIUS-1.1.0_4 = php82-pear-Cache_Lite-1.8.3,1 = php82-pear-Crypt_CHAP-1.5.0_2 = php82-pear-HTTP_Request2-2.5.1,1 = php82-pear-Mail-1.4.1,1 = php82-pear-Net_IPv6-1.3.0.b4_2 = php82-pear-Net_SMTP-1.10.1 = php82-pear-Net_Socket-1.2.2 = php82-pear-Net_URL2-2.2.1 = php82-pear-XML_RPC2-1.1.5 = php82-pecl-mcrypt-1.0.6 = php82-pecl-radius-1.4.0b1_2 = php82-pecl-rrd-2.0.3 = php82-pfSense-module-0.95 = php82-phpseclib-2.0.17 = php82-posix-8.2.6 = php82-readline-8.2.6 = php82-session-8.2.6 = php82-shmop-8.2.6 = php82-simplexml-8.2.6 = php82-sockets-8.2.6 = php82-sqlite3-8.2.6 = php82-sysvmsg-8.2.6 = php82-sysvsem-8.2.6 = php82-sysvshm-8.2.6 = php82-tokenizer-8.2.6 = php82-xml-8.2.6 = php82-xmlreader-8.2.6 = php82-xmlwriter-8.2.6 = php82-zlib-8.2.6 = pkcs11-helper-1.29.0 = pkg-1.20.8_3 > py311-maxminddb-2.4.0 > py311-setuptools-63.1.0_1 > py311-sqlite3-3.11.6_8 > python311-3.11.6 > qstats-0.2 = radvd-2.19_2 = rate-0.9_2 = readline-8.2.1 = rrdtool-1.8.0_2 = rsync-3.2.7 = scponly-4.8.20110526_5 = smartmontools-7.3 = sqlite3-3.43.1,1 > ssh_tunnel_shell-0.2_1 = sshguard-2.4.2_2,1 = strongswan-5.9.10_2 = uclcmd-0.2.20211204 = unbound-1.17.1_3 = voucher-0.1_2 = vstr-1.0.15_1 = whois-5.5.7 = wol-0.7.1_4 = wpa_supplicant-2.10_6 = wrapalixresetbutton-0.0.8 = xinetd-2.3.15_2 = xxhash-0.8.2 > zstd-1.5.5 >
-
What error do you see when you run:
pkg-static -d update
? -
@reberhar Hi All,
Right after I updated to 2.7.2 I had an odd problem with my primary CARP cluster server. DNS was not arriving at the LAN devices, although it was arriving at the DNS Lookup in the diagnostic menus. I rebooted the system and I thought the problem went away, but I was apparently mistaken.So tonight it happened again. Reboot did not help. I even changed it and pfBlocker to Python Mode wondering if there was some kind of corruption error I could overwrite. It did not help. Again in the Diagnostics drop down in DNS Lookup everything is fine, but now joy on the lan. So I turned on Forwarding Mode and that worked. I would sooner use recursive mode, not to mention that something is obviously broken that I want to fix.
Its almost like it falls behind because sometime it partially resolves on the lan device.
I will keep plugging away at it until I get it, but any suggestions are greatly appreciated.
Roy
-
Does DNS Lookup show success for all configured DNS servers? Including 127.0.0.1?
-
@stephenw10 Yes, all look well.
-
Hmm, should be fine from any clients using it then. Perhaps the clients are not using Unbound in pfSense? Or perhaps that DNS traffic is being blocked by the firewall rules? Or forced out of gateway so it never reaches the LAN IP?