Unable to update without turning off firewall
-
And
UNTRUSTis your WAN interface there? -
@stephenw10
Yes, UNTRUST is my WAN.Curl directly actually fails at the same point:
curl -v https://pkg01-atx.netgate.com
- Host pkg01-atx.netgate.com:443 was resolved.
- IPv6: 2610:160:11:18::209
- IPv4: 208.123.73.209
- Trying 208.123.73.209:443...
- Connected to pkg01-atx.netgate.com (208.123.73.209) port 443
- ALPN: curl offers h2,http/1.1
- TLSv1.3 (OUT), TLS handshake, Client hello (1):
- CAfile: none
- CApath: /etc/ssl/certs/
-
You are upgrading from what version ?
A client device on LAN can visit ordinary sites using https = port 443 TCP ?
No other devices behind the UNTRUSTED (WAN) under your control ?
Is the date and time ok on pfSense ? It seesm like you can connect, but TLS never starts up.
( cert issues ?) -
I have upgraded from 2.6.0 via 2.7.0 to 2.7.2
Yes. Accessing from the LAN side is ok.
This is a lab environment and I have control over most of what is beyond the WAN.
Date and time is ok. However, I do have an out of date certificate on the box, but I fail to see that it could be problematic only when the firewall is active. Do you think it could be the problem?
Mario
-
Wait ... you might have to type the special @stephenw10 command ....
-
-
I would expect to see a cert error there if it was a cert problem at either end. It's just timing out as I understand it though I don't see the actual error.
The states show it is connecting but then just fails.
Try a pcap on the WAN filtered by the destination IP then run the update.
Could be an MTU issue perhaps.
-
@stephenw10
Thanks for answering. Unfortunately I don't get to work with this until tuesday next week. I'll do a capture then.I agree that it looks like a packet size issue, but I don't see how it could be, as the packets getting sent should not change size just because I turn off the firewall?
Mario
-
Well with pf-scrub it re-assembles fragments.... or tries to.
-
@stephenw10
Good morning,I got to do the capture today. I must admit that I don't know what to make of it.
I'll try to attach it here. -
Hmm, interesting. Other traffic is passi8ng the firewall OK?
The pkg server never sees the ACK packet from pfSense so it just keeps sending SYN-ACK and never moves past that.
If you look at the MAC addresses you might have some asymmetry somewhere because pfSense is sending to 60:15:2b:fe:f1:11 but the replies comes back from 00:10:db:ff:10:00.
Which of those is the expected gateway MAC/IP?You don't see anything blocked in pfSense?
-
Awesome! That was the answer.
I have 2 gateways in the same subnet connected to the router for test purposes, and somehow it was using the non-default one for outgoing traffic.
I never noticed that the traffic was asymmetric. Thanks for pointing it out for me.Mario
-
Aha, that would do it. Nice.
