Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [SOLVED] New SG-2220 install - Can't access package repo

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    10 Posts 3 Posters 4.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      calivw78
      last edited by

      Reposting here. Accidentally posted to a sticky in the Package section mistakenly. Sorry mod's :(

      SG-2220
      2.3.2-RELEASE (amd64)
      built on Wed Jul 20 10:29:55 CDT 2016
      FreeBSD 10.3-RELEASE-p5

      When I go to System > Package Manager i get the following errors for both "Installed Packages" and "Available Packages"

      Unable to retrieve package information."
      From the console, I've tried running option 13 to update. I've also tried 'pfSense-upgrade -d' and 'pkg update'   All result in the following errors...
      Updating pfSense-core repository catalogue...
      pkg: https://firmware.netgate.com/pkg/pfSense_factory-v2_3_2_amd64-core/meta.txz: Permission denied
      repository pfSense-core has no meta file, using default settings
      pkg: https://firmware.netgate.com/pkg/pfSense_factory-v2_3_2_amd64-core/packagesite.txz: Permission denied
      Unable to update repository pfSense-core
      Updating pfSense repository catalogue...
      pkg: https://firmware.netgate.com/pkg/pfSense_factory-v2_3_2_amd64-pfSense_factory-v2_3_2/meta.txz: Permission denied
      repository pfSense has no meta file, using default settings
      pkg: https://firmware.netgate.com/pkg/pfSense_factory-v2_3_2_amd64-pfSense_factory-v2_3_2/packagesite.txz: Permission denied
      Unable to update repository pfSense
      

      From LAN clients, I am able to reach the repository and download the files.
      From the console of the Pfsense, I can't telnet to either port 80 or port 443 of firmware.netgate.com. I am able to do this from the LAN clients.
      I suspect there is some configuration that I am missing, but out of the box I would expect that the device could access the repositories.
      I am using DNS Forwarder and it is active on all interfaces, including loopback. From the pfsense console, it is able to resolve firmware.netgate.com to 208.123.73.85.

      One last thing, the telnet attempt fails immediately.

      Anyone have any thoughts here? I'm at a loss.

      /: pkg update -f
      Updating pfSense-core repository catalogue...
      pkg: https://firmware.netgate.com/pkg/pfSense_factory-v2_3_2_amd64-core/meta.txz: Permission denied
      repository pfSense-core has no meta file, using default settings
      pkg: https://firmware.netgate.com/pkg/pfSense_factory-v2_3_2_amd64-core/packagesite.txz: Permission denied
      Unable to update repository pfSense-core
      Updating pfSense repository catalogue...
      pkg: https://firmware.netgate.com/pkg/pfSense_factory-v2_3_2_amd64-pfSense_factory-v2_3_2/meta.txz: Permission denied
      repository pfSense has no meta file, using default settings
      pkg: https://firmware.netgate.com/pkg/pfSense_factory-v2_3_2_amd64-pfSense_factory-v2_3_2/packagesite.txz: Permission denied
      Unable to update repository pfSense
      /: nslookup firmware.netgate.com
      Server:        8.8.8.8
      Address:    8.8.8.8#53
      
      Non-authoritative answer:
      Name:    firmware.netgate.com
      Address: 208.123.73.85
      
      /: telnet firmware.netgate.com 443
      Trying 208.123.73.85...
      telnet: connect to address 208.123.73.85: Permission denied
      telnet: Unable to connect to remote host
      
      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        That looks like those connections are being denied by policy. Is there an upstream device or something?

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • C
          calivw78
          last edited by

          The cable modem, which does have a firewall but isn't blocking 443.

          I did some experimenting. As a starting point, I created an ANY/ANY rule on the WAN net (I know, not secure.) But it did change things. When I did that my error changed from 'Permission denied' to 'No address record'

          Updating pfSense-core repository catalogue...
          pkg: https://firmware.netgate.com/pkg/pfSense_factory-v2_3_2_amd64-core/meta.txz: No address record
          repository pfSense-core has no meta file, using default settings
          pkg: https://firmware.netgate.com/pkg/pfSense_factory-v2_3_2_amd64-core/packagesite.txz: No address record
          Unable to update repository pfSense-core
          Updating pfSense repository catalogue...
          pkg: https://firmware.netgate.com/pkg/pfSense_factory-v2_3_2_amd64-pfSense_factory-v2_3_2/meta.txz: No address record
          repository pfSense has no meta file, using default settings
          pkg: https://firmware.netgate.com/pkg/pfSense_factory-v2_3_2_amd64-pfSense_factory-v2_3_2/packagesite.txz: No address record
          Unable to update repository pfSense
          

          What also happened is DNS resolution for any on the LAN side started failing. Next I moved from DNS Forwarding to DNS Resolver. I can't remember what behavior I was seeing that caused this to make sense to me, but in any case DNS in now working again using DNS Resolver, but i'm back to the 'Permission Denied.'

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Any any rules on WAN have nothing to do with outbound connections. Zero. You have something else going on if that changed anything.

            ![Screen Shot 2016-09-29 at 9.38.08 PM.png](/public/imported_attachments/1/Screen Shot 2016-09-29 at 9.38.08 PM.png)
            ![Screen Shot 2016-09-29 at 9.38.08 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2016-09-29 at 9.38.08 PM.png_thumb)

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • C
              calivw78
              last edited by

              Ok :)

              Repeating your test fails immediately after pressing the button. Really feels likes the request isn't leaving the pfsense host.

              I did log into the ISP router and made sure the FW options they have there are completely disabled.

              2016-09-29_21-51-36-443test.png
              2016-09-29_21-51-36-443test.png_thumb

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                Well, either DNS isn't working or something is rejecting your traffic. Not sure what else to tell you.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • jimpJ
                  jimp Rebel Alliance Developer Netgate
                  last edited by

                  Floating rule dropping traffic outbound, or perhaps snort or something similar.

                  The errors suggest that the traffic is not being allowed to leave the host, which is not a default behavior.

                  If all else fails, reset to factory defaults and see if it works then.

                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  • C
                    calivw78
                    last edited by

                    I've done one reset already, but am not above doing another one later today. At this point I have zero floating rules, zero rules configured against the WAN interface, and the standard 3 rules on the LAN allows all connections.

                    Not sure if its an indicator, but when I use the DNS Lookup test I can resolve google and firmware.netgate.com. The first name server listed in localhost, followed by some google name servers I put in. However when I do the Test Port test, I can't connect on port 80 even for google.com. I would have expected that to work.

                    Trying from the console, it fails immediately. Much like the package update requests to netgate.

                    Trying 172.217.3.174...
                    telnet: connect to address 172.217.3.174: Permission denied
                    Trying 2607:f8b0:400a:809::200e...
                    telnet: connect to address 2607:f8b0:400a:809::200e: No route to host
                    telnet: Unable to connect to remote host
                    
                    1 Reply Last reply Reply Quote 0
                    • jimpJ
                      jimp Rebel Alliance Developer Netgate
                      last edited by

                      What does your interface config (ifconfig -a) and routing table (netstat -rn) look like?  You can mask a couple digits if necessary but at least leave the last two octets of addresses in place.

                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      1 Reply Last reply Reply Quote 0
                      • C
                        calivw78
                        last edited by

                        Problem solved! During my last reset, I mistakenly configured the gateway with the wrong IP, so I created a second gateway with the correct one, but somehow both were being used. I did another reset (using the right gw IP this time) and all has been working perfectly.

                        Thank you to the folks here and those behind the Gold support service desk!

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.