Filter needs manual reload to open incoming ports

doktornotor

Well… and guess what -  it just works over IPv4. HTTP or HTTPS does not matter.

# wget -4 -d --no-check-certificate https://files.pfsense.org/lists/fullbogons-ipv6.txt
Setting --check-certificate (checkcertificate) to 0
DEBUG output created by Wget 1.12 on linux-gnueabi.

URI encoding = `ANSI_X3.4-1968'
--2014-01-24 17:04:29--  https://files.pfsense.org/lists/fullbogons-ipv6.txt
Resolving files.pfsense.org (files.pfsense.org)... 66.111.2.167
Caching files.pfsense.org => 66.111.2.167
Connecting to files.pfsense.org (files.pfsense.org)|66.111.2.167|:443... connected.
Created socket 3.
Releasing 0x00fe6740 (new refcount 1).
Initiating SSL handshake.
Handshake successful; connected socket 3 to SSL handle 0x00fe6a10
certificate:
  subject: /OU=Domain Control Validated/CN=*.pfsense.org
  issuer:  /C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - G2
WARNING: cannot verify files.pfsense.org's certificate, issued by `/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - G2':
  Unable to locally verify the issuer's authority.

---request begin---
GET /lists/fullbogons-ipv6.txt HTTP/1.0
User-Agent: Wget/1.12 (linux-gnueabi)
Accept: */*
Host: files.pfsense.org
Connection: Keep-Alive

---request end---
HTTP request sent, awaiting response...
---response begin---
HTTP/1.1 200 OK
Server: nginx/1.4.4
Date: Fri, 24 Jan 2014 16:04:29 GMT
Content-Type: text/plain
Content-Length: 738156
Last-Modified: Tue, 21 Jan 2014 06:01:01 GMT
Connection: keep-alive
ETag: "52de0d1d-b436c"
Accept-Ranges: bytes

---response end---
200 OK
Registered socket 3 for persistent reuse.
Length: 738156 (721K) [text/plain]
Saving to: `fullbogons-ipv6.txt'

100%[===================================================================================================================================================================================================>] 738,156      730K/s   in 1.0s

2014-01-24 17:04:31 (730 KB/s) - `fullbogons-ipv6.txt' saved [738156/738156]

# wget -4 -d http://files.pfsense.org/lists/fullbogons-ipv6.txt
DEBUG output created by Wget 1.12 on linux-gnueabi.

URI encoding = `ANSI_X3.4-1968'
--2014-01-24 17:04:57--  http://files.pfsense.org/lists/fullbogons-ipv6.txt
Resolving files.pfsense.org (files.pfsense.org)... 66.111.2.167
Caching files.pfsense.org => 66.111.2.167
Connecting to files.pfsense.org (files.pfsense.org)|66.111.2.167|:80... connected.
Created socket 3.
Releasing 0x003eb580 (new refcount 1).

---request begin---
GET /lists/fullbogons-ipv6.txt HTTP/1.0
User-Agent: Wget/1.12 (linux-gnueabi)
Accept: */*
Host: files.pfsense.org
Connection: Keep-Alive

---request end---
HTTP request sent, awaiting response...
---response begin---
HTTP/1.1 200 OK
Server: nginx/1.4.4
Date: Fri, 24 Jan 2014 16:04:57 GMT
Content-Type: text/plain
Content-Length: 738156
Last-Modified: Tue, 21 Jan 2014 06:01:01 GMT
Connection: keep-alive
ETag: "52de0d1d-b436c"
Accept-Ranges: bytes

---response end---
200 OK
Registered socket 3 for persistent reuse.
Length: 738156 (721K) [text/plain]
Saving to: `fullbogons-ipv6.txt.1'

100%[===================================================================================================================================================================================================>] 738,156      354K/s   in 2.0s

2014-01-24 17:05:00 (354 KB/s) - `fullbogons-ipv6.txt.1' saved [738156/738156]

jimp

Can you clear your DNS cache (if you have one) and try again? It should be on ::56 now. cmb noticed some issues routing to ::55 but ::56 seems to be OK at the moment.

doktornotor

Well yes, but the files are not there… :D

#  wget -v http://files.pfsense.org/lists/fullbogons-ipv6.txt
--2014-01-24 18:03:04--  http://files.pfsense.org/lists/fullbogons-ipv6.txt
Resolving files.pfsense.org (files.pfsense.org)... 2610:1c0:1:25::56, 66.111.2.167
Connecting to files.pfsense.org (files.pfsense.org)|2610:1c0:1:25::56|:80... connected.
HTTP request sent, awaiting response... 404 Not Found
2014-01-24 18:03:05 ERROR 404: Not Found.

P.S. Thanks for looking into the problem!  8)

gogol

@doktornotor:

Well yes, but the files are not there… :D

Yes, they are…, oh no they are not..., ah there they are again..., oh my, gone again. :-[

Edit: I was finally able to download packages by disabling my ipv6 tunnel. Weird. Probably Pfsense was connecting ipv6 which didn't work?

doktornotor

@gogol:

Yes, they are…, oh no they are not..., ah there they are again..., oh my, gone again. :-[
[/quote]

Yes, they are, right now.  ;D

IPv6:

# wget -v http://files.pfsense.org/lists/fullbogons-ipv6.txt
--2014-01-24 19:29:30--  http://files.pfsense.org/lists/fullbogons-ipv6.txt
Resolving files.pfsense.org (files.pfsense.org)... 2610:1c0:1:25::57, 66.111.2.167
Connecting to files.pfsense.org (files.pfsense.org)|2610:1c0:1:25::57|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 738156 (721K) [text/plain]
Saving to: `fullbogons-ipv6.txt'

100%[===================================================================================================================================================================================================>] 738,156      222K/s   in 3.3s

2014-01-24 19:29:33 (222 KB/s) - `fullbogons-ipv6.txt' saved [738156/738156]

# wget -v --no-check-certificate https://files.pfsense.org/lists/fullbogons-ipv6.txt
--2014-01-24 19:29:49--  https://files.pfsense.org/lists/fullbogons-ipv6.txt
Resolving files.pfsense.org (files.pfsense.org)... 2610:1c0:1:25::57, 66.111.2.167
Connecting to files.pfsense.org (files.pfsense.org)|2610:1c0:1:25::57|:443... failed: Connection refused.
Connecting to files.pfsense.org (files.pfsense.org)|66.111.2.167|:443... connected.
WARNING: cannot verify files.pfsense.org's certificate, issued by `/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - G2':
  Unable to locally verify the issuer's authority.
HTTP request sent, awaiting response... 200 OK
Length: 738156 (721K) [text/plain]
Saving to: `fullbogons-ipv6.txt.1'

100%[===================================================================================================================================================================================================>] 738,156      744K/s   in 1.0s

2014-01-24 19:29:50 (744 KB/s) - `fullbogons-ipv6.txt.1' saved [738156/738156]

IPv4:

# wget -4 -v http://files.pfsense.org/lists/fullbogons-ipv6.txt
--2014-01-24 19:31:06--  http://files.pfsense.org/lists/fullbogons-ipv6.txt
Resolving files.pfsense.org (files.pfsense.org)... 66.111.2.167
Connecting to files.pfsense.org (files.pfsense.org)|66.111.2.167|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 738156 (721K) [text/plain]
Saving to: `fullbogons-ipv6.txt.3'

100%[===================================================================================================================================================================================================>] 738,156      523K/s   in 1.4s

# wget -4 -v --no-check-certificate https://files.pfsense.org/lists/fullbogons-ipv6.txt
--2014-01-24 19:30:41--  https://files.pfsense.org/lists/fullbogons-ipv6.txt
Resolving files.pfsense.org (files.pfsense.org)... 66.111.2.167
Connecting to files.pfsense.org (files.pfsense.org)|66.111.2.167|:443... connected.
WARNING: cannot verify files.pfsense.org's certificate, issued by `/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - G2':
  Unable to locally verify the issuer's authority.
HTTP request sent, awaiting response... 200 OK
Length: 738156 (721K) [text/plain]
Saving to: `fullbogons-ipv6.txt.2'

100%[===================================================================================================================================================================================================>] 738,156      721K/s   in 1.0s

2014-01-24 19:30:43 (721 KB/s) - `fullbogons-ipv6.txt.2' saved [738156/738156]

All good now, thanks jimp and else everyone involved!  8) 8) 8)

Guest

@jimp:

Try it with Thu Jan 23 17:15:05 EST 2014 or later.

It was the same issue after the upgrade.

The filter needed a manual reload and the apinger service needed to be restarted.

Guest

Same for.  8.3-RELEASE-p14 FreeBSD 8.3-RELEASE-p14 #1: Sat Jan 25 11:19:23 EST 2014 root@snapshots-8_3-amd64.builders.pfsense.org:/usr/obj.pfSense/usr/pfSensesrc/src/sys/pfSense_SMP.8 amd64

maverick_slo

Huh I don`t have this problems since THU snapshot…
Today I upgraded to SAT snapshot and all is OK...

maverick_slo

OK disregard above post…
I just checked my logs again and here we go:

Jan 26 19:48:16 	apinger: command (/usr/local/sbin/pfSctl -c 'service reload dyndns WAN_PPPOE' -c 'service reload ipsecdns' -c 'service reload openvpn WAN_PPPOE' -c 'filter reload' ) exited with status: 255
Jan 26 19:48:16 	apinger: Error while starting command form alarm(WAN_PPPOEdelay) on target(IP-WAN_PPPOE)
Jan 26 19:48:07 	apinger: command (/usr/local/sbin/pfSctl -c 'service reload dyndns WAN_PPPOE' -c 'service reload ipsecdns' -c 'service reload openvpn WAN_PPPOE' -c 'filter reload' ) exited with status: 255
Jan 26 19:48:07 	apinger: Error while starting command form alarm(WAN_PPPOEdelay) on target(IP-WAN_PPPOE)
Jan 26 19:48:06 	apinger: alarm canceled: WAN_PPPOE(IP) *** WAN_PPPOEdelay ***
Jan 26 19:47:57 	apinger: ALARM: WAN_PPPOE(IP) *** WAN_PPPOEdelay ***

maverick_slo

Tested on:

2.1.1-PRERELEASE (i386)
built on Mon Jan 27 02:29:41 EST 2014
FreeBSD 8.3-RELEASE-p14

Still same errors…

jimp

Next new snap should be OK.
https://forum.pfsense.org/index.php/topic,71555.msg393514.html#msg393514

adam65535

Wrong thread….

Guest

@jimp:

Next new snap should be OK.
https://forum.pfsense.org/index.php/topic,71555.msg393514.html#msg393514

Yep, works!  :D