New installation and packages.netgate.com issues
-
Hi there,
I have a new installation of pfsense 2.5 just completed yesterday and this installation only has internet access via a proxy server, and only via whitelisted domains.After setting the pfsense firewall up I set the proxy server and took a gander at the logs to see what domains I should be whitelisting.
packages.netgate.com seemed to be a common theme, so I added this in my whitelist and started seeing accepts in the proxy logs, however the firewall was still complaining.
Taking a closer look, it seems that packages.netgate.com doesn't actually exist and (checking my own home firewall installation and forcing that through a proxy) it appears that it is using files01.netgate.com - no problem, I added that as well, yet still nothing was working. (I was trying to get a package list populated and some base packages installed such as the open-vm-tools package)
looking at the command line pkg utility I checked (via 'set') that the proxy was set, then rand a 'pkg update -f'
Failed, and was going to packages.netgate.com. I then compared the /usr/local/etc/pkg/repos/pfSense.conf files and they were the same, weird.
Running truss on the home firewall, I noticed it appeared to be getting its package repo information from an sqlite database and not the packages file yet the newly installed one wasn't. (to be fair, I have yet to run truss on the newly installed one)
I then tried altering the pkg repo to point to files01.netgate.com and the package list got populated, cool beans!.
I then attempted (via the WebUI) to install the open-vm-tools package and this failed.
it also seems that somewhere along the line it reset my repo edits back to packages.netgate.com which doesn't exist.
Is this expected behaviour? Is it possible to force files01.netgate.com to be the default repo?
-
See if this helps. packages.netgate.com Has no A/AAAA Record
-
@teamits Ahh, thanks for that, that helps a lot, altho now I am left with an interesting pickle on how to solve this, as I don't believe the proxy server is clever enough to look up a SRV (it only sees the http request) record and there is no external DNS.
However, I could probably setup an internal 'dummy' netgate.com domain with SRV records mimicking what's outside which may be enough to poke the firewall to pickup the right domain, the issue would be somehow keeping this up to date.
At least I know why its not working now :-)
-
@nibblet said in New installation and packages.netgate.com issues:
as I don't believe the proxy server is clever enough to look up a SRV (it only sees the http request) record
If the proxy only deals with http, why should it block - and not deal with - ordinary DNS request ?
pfSense isn't the only one using more then MX/A/AAAA/CNAME records.
There are many other DNS record types. -
@nibblet said in New installation and packages.netgate.com issues:
@teamits Ahh, thanks for that, that helps a lot, altho now I am left with an interesting pickle on how to solve this, as I don't believe the proxy server is clever enough to look up a SRV (it only sees the http request) record and there is no external DNS.
However, I could probably setup an internal 'dummy' netgate.com domain with SRV records mimicking what's outside which may be enough to poke the firewall to pickup the right domain, the issue would be somehow keeping this up to date.
At least I know why its not working now :-)
how you solve this problem? thanks