pfSense 2.4.5-RELEASE-p1 Now Available
-
@avr said in pfSense 2.4.5-RELEASE-p1 Now Available:
@al
Issue:
After 2.4.5_1 upgrade OpenVPN connections started leaking WAN IP DNS
https://redmine.pfsense.org/issues/10664Isn't dns-leakage while using VPN-clients a general problem in pfSense? Can't see what your have done would help there in the first place.
Do you have DNS Query Forwarding in the forwarder enabled? -
@Bob-Dig Enable Forwarding Mode is disabled
-
@Visseroth Strange. Please try using a different browser or an anonymous tab when logging in - it could be some cache stuff or an old cookie or something else that gives a problem.
-
@avr Ok, same here. But I think tinkering under general setup is no solution in the first place. The only solution I am aware of is using only the vpn-client(s) as Outgoing Network Interfaces in the resolver. Works flawlessly.
-
Issue:
After 2.4.5_1 upgrade OpenVPN connections started leaking WAN IP DNS
https://redmine.pfsense.org/issues/10664Hi,
this is a misstatement:
"So all of you out there may be leaking vpn DNSs right now after upgrade... that's an upgrade bug, a serious one."this is not the case for everyone...
-
@al Tried that, some results
-
@DaddyGo it's not a misstatement: 'may' is not the same as affirming for sure... anyway I'm happy for you, but I'm not happy for me.
pfSense most likelly has 2 sets of configurations: one configured in the OS in the form of conf files and one for the front-end. I bet in my case they got out of sync, and setting off and on again made sync them... of course this is just and hypothesis but still a logical one. -
@avr said in pfSense 2.4.5-RELEASE-p1 Now Available:
@DaddyGo it's not a misstatement: 'may' is not the same as affirming for sure... anyway I'm happy for you, but I'm not happy for me.
pfSense most likelly has 2 sets of configurations: one configured in the OS in the form of conf files and one for the front-end. I bet in my case they got out of sync, and setting off and on again made sync them... of course this is just AN hypothesis but still a logical one. -
@al Restarted, tried again, stuck again...
[220/239] Reinstalling pkg-1.13.2... [220/239] Extracting pkg-1.13.2: 100% You may need to manually remove /usr/local/etc/pkg.conf if it is no longer needed. [221/239] Upgrading pfSense-pkg-squidGuard from 1.16.18_5 to 1.16.18_6... [221/239] Extracting pfSense-pkg-squidGuard-1.16.18_6: 100% Removing squidGuard components... Menu items... done. Services... done. Loading package instructions... Deinstall commands... done. -
@Visseroth Do you still get a:
I did try your post and received "pkg-static: Cannot get an advisory lock on a database, it is locked by another process"
if so does a:
killall pkg-static
make a difference? Is the process truly terminated if you look up / check with 'ps -aux' or 'top' ?
Afterwards please run (again) and see if package continue to become installed:
pkg-static upgrade -f
-
@Visseroth also consider running a:
pkg clean
, after killing the process - maybe it does the job re. the lock. A wild guess, but try.
-
Hi, Thanks for your reply.
something can be safely called a global problem, if the problem is the same everywhere
if it only happens in a few installations, it can be anything, I mean it's not good for you, but it can be something else in the background
if this were the situation in a completely general way and for everyone - then you are absolutely right
there are nearly 50 of pfSense (2.4.5-p1) running on our systems - and we really haven’t experienced that issue...
(on a variety of environments and hardware)it scared me too - but we checked several installations immediately - but no question so far
we use almost only OpenVPN connections between multiple countries and of course NordVPN + ExpVPN subscriptions
my opinion is that:
I modify - this is not a misstatement - but a problem to be investigated individually ,first (of course with community help if needed)
-
@al pkg clean and pkg-static clean gave me "Nothing to do"
Tried pkg-static upgrade -f again, same result -
@Visseroth Seems the problems are with specific packages re. https://forum.netgate.com/topic/154403/squidguard-update-fails-after-upgrading-pfsense-2-4-5-release-p1 where (deep below in the thread) it is listed how to workaround it. However the problem might be a bug in the pkg-static program.
dennis_s / Netgate employee mention using 'killall -9 pkg-static', whereas pr340 mention deleting squidGuard calling 'pkg delete squidGuard', unfortunately I think you need to read it through thoroughly to decide which path you want to take.
-
@Visseroth forgot to mention: Try to close down the squid service before doing the package update. Maybe that makes a difference.
-
@DaddyGo said in pfSense 2.4.5-RELEASE-p1 Now Available:
if it only happens in a few installations, it can be anything
I'd like to politelly disagree there... software engineering, the absent elephant in the room, should prevent 'random' problems like this to occur. Imagine if, instead of a security software product, it was a bridge, or a building... oh wait! anti-engineering is getting there too!
-
I have 3 gateways, one ipv6 (Comcast, SLAAC) and 2 ipv4 (Comcast static /29 and Verizon Wireless static /32). The status of the ipv6 gateway remains "Unknown" although ipv6 clients get an address and routing works. I added a report to a bug here: https://redmine.pfsense.org/issues/10565#change-46724
but there has been no notice of it. -
@al Good call, I don't know why I didn't think of that! I guess I ass-u-me-d (assumed) that it would stop the service and then update the application and then restart the service.
-
@Visseroth Great :)
It would be most logical if the service would stop when its package is updated.
What the reason is that it doesn't is a good question.
Whether the new package has the issue fixed is a good question, but lets hope the problem gets picked up by Netgate e.g. as a note in the release notes and/or tested/fixed in the upcoming packages for squid / squidGuard and maybe other packages that may have this problem of not shutting down their services when package updates happen.Cheers :)
-
Hi to all,
I've upgraded yesterday and solve my primary issue related to WAN speed. Now speedtest told me 810/200 (before 400/160).
Thanks, great job!!!
