newbie: bogon not updating

richardsago

Good day. At the start of the month these messages appear under "Status" > "System Logs" > "System" > "General":

1. rc.update_bogons.sh is starting up.
2. rc.update_bogons.sh is sleeping for 35206 <--the number changes per month
3. rc.update_bogons.sh is beginning the update cycle.

When choosing "bogons" under "Diagnostics" > "Tables" it will display a list of Bogons Table but with the message that it was last updated last year:
Table last updated on Fri Dec 1 00:55:01 2023 GMT. 664 records.

When clicking the "Update" button it will process but after the process has ended the message remains to be "Table last updated on Fri Dec 1 00:55:01 2023 GMT. 664 records."

When following the steps under "Troubleshooting Bogon Network List Updates" of URL:
https://docs.netgate.com/pfsense/en/latest/troubleshooting/bogons.html
Step 1 (DNS Lookup) is successful but
Step 2 (Diagnostics > Test Port) displays message "Connection failed."

This is WAN1 firewall rules:

This is WAN2 firewall rules:

This is LAN firewall rules:

This is firewall rules for main users:

The last change that was done was configure failover from this:
https://forum.netgate.com/topic/185136/bandwidth-segregation-needed-and-not-load-balance-or-fail-over

The setting change for "System" > "Routing" > "Gateways" was successful (setting "Default gateway IPv4" and "Default gateway IPv6" to "None")

Is there a need to add firewall rules to allow bogon to be updated? Thank you in advance

johnpoz

@richardsago said in newbie: bogon not updating:

Is there a need to add firewall rules to allow bogon to be updated?

No by default all connections from pfsense itself would be allowed..

If you look in the full rule set (some are hidden) you would see these rules

# let out anything from the firewall host itself and decrypted IPsec traffic
pass out  inet all keep state allow-opts ridentifier 1000015165 label "let out anything IPv4 from firewall host itself"
pass out  inet6 all keep state allow-opts ridentifier 1000015166 label "let out anything IPv6 from firewall host itself"

So I show this..

My bogon were last updated yesterday, when I do a test to files.pfsense.org it comes back successful.. As the test for bogon states if you can not talk to files.pfsense.org you have some sort of connectivity issue to there?

Can you call that up with a browser?

Did you try testing with specific interface selected.. You have a Wan and a starlinkwan?

But to be honest I wouldn't worry too much about bogon.. Your wan rules there showing blocking bogon.. You don't even have any port forwards or ports open so ALL unsolicited inbound would be blocked anyway, be it a bogon or not..

If you have not gateway set in pfsense, how would it go talk to files.pfsense.org? Your default gateway in routing should be set to something.

richardsago

@johnpoz Thank you for the reply. The problem got solved after I followed your instruction and added back the default gateway. I removed it last year because we had a requirement that some groups should failover to WAN2 and some groups should not failover. The group that should not failover was still failing over to WAN2 until we removed the default gateway.

johnpoz

@richardsago I would think you could use routing policy rules to keep some devices from failing over. Or how you have your goups setup. but if set to none what would pfsense use for its own traffic?

richardsago

@johnpoz Thank you for pointing me in the right direction. It never occurred to me that setting the default gateway to "None" last year was the reason why I could not update pfsense. Now that the default gateway value was returned, the dashboard "System Information" > "Version" is now showing the available version update. I will try again to update pfsense this December.

I will also try to see if the two NTP entries I added to Firewall > Rules > LAN are no longer needed. I added them this year because the access points suddenly could not connect to NTP