[SOLVED] New SG-2220 install - Can't access package repo



  • Reposting here. Accidentally posted to a sticky in the Package section mistakenly. Sorry mod's :(

    SG-2220
    2.3.2-RELEASE (amd64)
    built on Wed Jul 20 10:29:55 CDT 2016
    FreeBSD 10.3-RELEASE-p5

    When I go to System > Package Manager i get the following errors for both "Installed Packages" and "Available Packages"

    Unable to retrieve package information."
    From the console, I've tried running option 13 to update. I've also tried 'pfSense-upgrade -d' and 'pkg update'   All result in the following errors...
    Updating pfSense-core repository catalogue...
    pkg: https://firmware.netgate.com/pkg/pfSense_factory-v2_3_2_amd64-core/meta.txz: Permission denied
    repository pfSense-core has no meta file, using default settings
    pkg: https://firmware.netgate.com/pkg/pfSense_factory-v2_3_2_amd64-core/packagesite.txz: Permission denied
    Unable to update repository pfSense-core
    Updating pfSense repository catalogue...
    pkg: https://firmware.netgate.com/pkg/pfSense_factory-v2_3_2_amd64-pfSense_factory-v2_3_2/meta.txz: Permission denied
    repository pfSense has no meta file, using default settings
    pkg: https://firmware.netgate.com/pkg/pfSense_factory-v2_3_2_amd64-pfSense_factory-v2_3_2/packagesite.txz: Permission denied
    Unable to update repository pfSense
    

    From LAN clients, I am able to reach the repository and download the files.
    From the console of the Pfsense, I can't telnet to either port 80 or port 443 of firmware.netgate.com. I am able to do this from the LAN clients.
    I suspect there is some configuration that I am missing, but out of the box I would expect that the device could access the repositories.
    I am using DNS Forwarder and it is active on all interfaces, including loopback. From the pfsense console, it is able to resolve firmware.netgate.com to 208.123.73.85.

    One last thing, the telnet attempt fails immediately.

    Anyone have any thoughts here? I'm at a loss.

    /: pkg update -f
    Updating pfSense-core repository catalogue...
    pkg: https://firmware.netgate.com/pkg/pfSense_factory-v2_3_2_amd64-core/meta.txz: Permission denied
    repository pfSense-core has no meta file, using default settings
    pkg: https://firmware.netgate.com/pkg/pfSense_factory-v2_3_2_amd64-core/packagesite.txz: Permission denied
    Unable to update repository pfSense-core
    Updating pfSense repository catalogue...
    pkg: https://firmware.netgate.com/pkg/pfSense_factory-v2_3_2_amd64-pfSense_factory-v2_3_2/meta.txz: Permission denied
    repository pfSense has no meta file, using default settings
    pkg: https://firmware.netgate.com/pkg/pfSense_factory-v2_3_2_amd64-pfSense_factory-v2_3_2/packagesite.txz: Permission denied
    Unable to update repository pfSense
    /: nslookup firmware.netgate.com
    Server:        8.8.8.8
    Address:    8.8.8.8#53
    
    Non-authoritative answer:
    Name:    firmware.netgate.com
    Address: 208.123.73.85
    
    /: telnet firmware.netgate.com 443
    Trying 208.123.73.85...
    telnet: connect to address 208.123.73.85: Permission denied
    telnet: Unable to connect to remote host
    

  • LAYER 8 Netgate

    That looks like those connections are being denied by policy. Is there an upstream device or something?



  • The cable modem, which does have a firewall but isn't blocking 443.

    I did some experimenting. As a starting point, I created an ANY/ANY rule on the WAN net (I know, not secure.) But it did change things. When I did that my error changed from 'Permission denied' to 'No address record'

    Updating pfSense-core repository catalogue...
    pkg: https://firmware.netgate.com/pkg/pfSense_factory-v2_3_2_amd64-core/meta.txz: No address record
    repository pfSense-core has no meta file, using default settings
    pkg: https://firmware.netgate.com/pkg/pfSense_factory-v2_3_2_amd64-core/packagesite.txz: No address record
    Unable to update repository pfSense-core
    Updating pfSense repository catalogue...
    pkg: https://firmware.netgate.com/pkg/pfSense_factory-v2_3_2_amd64-pfSense_factory-v2_3_2/meta.txz: No address record
    repository pfSense has no meta file, using default settings
    pkg: https://firmware.netgate.com/pkg/pfSense_factory-v2_3_2_amd64-pfSense_factory-v2_3_2/packagesite.txz: No address record
    Unable to update repository pfSense
    

    What also happened is DNS resolution for any on the LAN side started failing. Next I moved from DNS Forwarding to DNS Resolver. I can't remember what behavior I was seeing that caused this to make sense to me, but in any case DNS in now working again using DNS Resolver, but i'm back to the 'Permission Denied.'


  • LAYER 8 Netgate

    Any any rules on WAN have nothing to do with outbound connections. Zero. You have something else going on if that changed anything.

    ![Screen Shot 2016-09-29 at 9.38.08 PM.png](/public/imported_attachments/1/Screen Shot 2016-09-29 at 9.38.08 PM.png)
    ![Screen Shot 2016-09-29 at 9.38.08 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2016-09-29 at 9.38.08 PM.png_thumb)



  • Ok :)

    Repeating your test fails immediately after pressing the button. Really feels likes the request isn't leaving the pfsense host.

    I did log into the ISP router and made sure the FW options they have there are completely disabled.



  • LAYER 8 Netgate

    Well, either DNS isn't working or something is rejecting your traffic. Not sure what else to tell you.


  • Rebel Alliance Developer Netgate

    Floating rule dropping traffic outbound, or perhaps snort or something similar.

    The errors suggest that the traffic is not being allowed to leave the host, which is not a default behavior.

    If all else fails, reset to factory defaults and see if it works then.



  • I've done one reset already, but am not above doing another one later today. At this point I have zero floating rules, zero rules configured against the WAN interface, and the standard 3 rules on the LAN allows all connections.

    Not sure if its an indicator, but when I use the DNS Lookup test I can resolve google and firmware.netgate.com. The first name server listed in localhost, followed by some google name servers I put in. However when I do the Test Port test, I can't connect on port 80 even for google.com. I would have expected that to work.

    Trying from the console, it fails immediately. Much like the package update requests to netgate.

    Trying 172.217.3.174...
    telnet: connect to address 172.217.3.174: Permission denied
    Trying 2607:f8b0:400a:809::200e...
    telnet: connect to address 2607:f8b0:400a:809::200e: No route to host
    telnet: Unable to connect to remote host
    

  • Rebel Alliance Developer Netgate

    What does your interface config (ifconfig -a) and routing table (netstat -rn) look like?  You can mask a couple digits if necessary but at least leave the last two octets of addresses in place.



  • Problem solved! During my last reset, I mistakenly configured the gateway with the wrong IP, so I created a second gateway with the correct one, but somehow both were being used. I did another reset (using the right gw IP this time) and all has been working perfectly.

    Thank you to the folks here and those behind the Gold support service desk!


Log in to reply