Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfsense self routing (unable to update/route)

    Scheduled Pinned Locked Moved DHCP and DNS
    4 Posts 3 Posters 1.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jrgx19
      last edited by jrgx19

      I am having issues routing pfsense's traffic. all the hosts connected to the firewall route correctly. However, the firewall itself cannot resolve to any site. I am also unable to ping external sites from the firewall itself.
      There is also no package information on the available packages tab. The firewall is also unable to pull updates information.

      My config consist of two VPN connections. All traffic is routed via VPN depending on the type of traffic and which IP it is originating from and where it is being routed to. One of the VPN tunnels is the has been assigned as the default gateway to catch any traffic not specified by a firewall rule.

      trying to manually update fails (I realize I am running the latest stable release) :

      [2.4.3-RELEASE][root@pfsense.XXXX.tech]/root: pkg update -f
      Updating pfSense-core repository catalogue...
      pkg: Repository pfSense-core load error: access repo file(/var/db/pkg/repo-pfSense-core.sqlite) failed: No such file or directory
      pkg: https://beta.pfsense.org/packages/pfSense_master_amd64-core/meta.txz: No address record
      repository pfSense-core has no meta file, using default settings
      pkg: https://beta.pfsense.org/packages/pfSense_master_amd64-core/packagesite.txz: No address record
      Unable to update repository pfSense-core
      Updating pfSense repository catalogue...
      pkg: Repository pfSense load error: access repo file(/var/db/pkg/repo-pfSense.sqlite) failed: No such file or directory
      pkg: https://beta.pfsense.org/packages/pfSense_master_amd64-pfSense_devel/meta.txz: No address record
      repository pfSense has no meta file, using default settings
      pkg: https://beta.pfsense.org/packages/pfSense_master_amd64-pfSense_devel/packagesite.txz: No address record
      Unable to update repository pfSense
      Error updating repositories!
      
      
      [2.4.3-RELEASE][root@pfsense.XXXX.tech]/root: pkg upgrade -f
      Updating pfSense-core repository catalogue...
      pkg: Repository pfSense-core load error: access repo file(/var/db/pkg/repo-pfSense-core.sqlite) failed: No such file or directory
      pkg: https://beta.pfsense.org/packages/pfSense_master_amd64-core/meta.txz: No address record
      repository pfSense-core has no meta file, using default settings
      pkg: https://beta.pfsense.org/packages/pfSense_master_amd64-core/packagesite.txz: No address record
      Unable to update repository pfSense-core
      Updating pfSense repository catalogue...
      pkg: Repository pfSense load error: access repo file(/var/db/pkg/repo-pfSense.sqlite) failed: No such file or directory
      pkg: https://beta.pfsense.org/packages/pfSense_master_amd64-pfSense_devel/meta.txz: No address record
      repository pfSense has no meta file, using default settings
      pkg: https://beta.pfsense.org/packages/pfSense_master_amd64-pfSense_devel/packagesite.txz: No address record
      Unable to update repository pfSense
      Error updating repositories!
      

      pinging google via url fails. pinging google's dns via ip returns a response

      [2.4.3-RELEASE][root@pfsense.XXXX.tech]/root: ping -c 3 www.google.com
      PING www.google.com (172.217.10.68): 56 data bytes
      36 bytes from localhost (127.0.0.1): Time to live exceeded
      Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
       4  5  00 0054 e701   0 0000  01  01 0000 127.0.0.1  172.217.10.68
      36 bytes from localhost (127.0.0.1): Time to live exceeded
      Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
       4  5  00 0054 e5bd   0 0000  01  01 0000 127.0.0.1  172.217.10.68
      36 bytes from localhost (127.0.0.1): Time to live exceeded
      Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
       4  5  00 0054 c72d   0 0000  01  01 0000 127.0.0.1  172.217.10.68
      --- www.google.com ping statistics ---
      3 packets transmitted, 0 packets received, 100.0% packet loss
      
      [2.4.3-RELEASE][root@pfsense.XXXX.tech]/root: ping -c 3 8.8.8.8
      PING 8.8.8.8 (8.8.8.8): 56 data bytes
      64 bytes from 8.8.8.8: icmp_seq=0 ttl=57 time=23.300 ms
      64 bytes from 8.8.8.8: icmp_seq=1 ttl=57 time=20.215 ms
      64 bytes from 8.8.8.8: icmp_seq=2 ttl=57 time=23.467 ms
      --- 8.8.8.8 ping statistics ---
      3 packets transmitted, 3 packets received, 0.0% packet loss
      round-trip min/avg/max/stddev = 20.215/22.327/23.467/1.495 ms
      

      nslookup to google returns a expected output

      [2.4.3-RELEASE][root@pfsense.XXXX.tech]/root: nslookup google.com
      Server:         127.0.0.1
      Address:        127.0.0.1#53
      Non-authoritative answer:
      Name:   google.com
      Address: 172.217.13.174
      Name:   google.com
      Address: 2607:f8b0:4020:806::200e
      

      trying to browse to google using curl fails with default interface. It resolves to google if VPN interface is specified

      [2.4.3-RELEASE][root@pfsense.XXXX.tech]/root: curl google.com
      curl: (7) Couldn't connect to server
      
      [2.4.3-RELEASE][root@pfsense.XXXX.tech]/root: curl --interface ovpnc1 google.com
      <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
      <TITLE>301 Moved</TITLE></HEAD><BODY>
      <H1>301 Moved</H1>
      The document has moved
      <A HREF="http://www.google.com/">here</A>.
      </BODY></HTML>
      

      here are some of my configs:

      [2.4.3-RELEASE][root@pfsense.XXXX.tech]/root: cat /etc/resolv.conf
      nameserver 127.0.0.1
      search XXXX.tech
      nameserver 1.1.1.1
      nameserver 208.67.220.220
      nameserver 208.67.222.222
      nameserver 8.8.8.8
      
      [2.4.3-RELEASE][root@pfsense.XXXX.tech]/root: cat /usr/local/etc/pkg/repos/pfSense.conf
      FreeBSD: { enabled: no }
      
      pfSense-core: {
        url: "pkg+https://beta.pfsense.org/packages/pfSense_master_amd64-core",
        mirror_type: "srv",
        signature_type: "fingerprints",
        fingerprints: "/usr/local/share/pfSense/keys/pkg",
        enabled: yes
      }
      
      pfSense: {
        url: "pkg+https://beta.pfsense.org/packages/pfSense_master_amd64-pfSense_devel",
        mirror_type: "srv",
        signature_type: "fingerprints",
        fingerprints: "/usr/local/share/pfSense/keys/pkg",
        enabled: yes
      }
      

      Here is my GUI DNS server settings. I have played with "DNS Server Override" and "Disable DNS Forwarder" no difference.

      0_1528449139107_dns_server.png

      Here is my GUI Routing settings:

      0_1528448051924_routing.png

      beremonavabiB 1 Reply Last reply Reply Quote 0
      • H
        heper
        last edited by

        @jrgx19 said in pfsense self routing (unable to update/route):

        with default interface. It resolves to google if VPN interface is specified
        [2.4.3-RELEASE][root@pfsense.XXXX.tech]/root: curl google.com

        perhaps you are missing NAT rules for localhost on your VPN interface ?

        1 Reply Last reply Reply Quote 0
        • beremonavabiB
          beremonavabi @jrgx19
          last edited by

          @jrgx19
          I could be wrong, but it sounds like an issue I brought up a while ago:

          https://forum.netgate.com/topic/115760/firewall-traffic-needs-redirect-gateway-def1-to-route-thru-vpn

          Hopefully, that link will be of some help.

          SG-4860, pfSense 2.4.5-RELEASE-p1 (amd64)

          J 1 Reply Last reply Reply Quote 0
          • J
            jrgx19 @beremonavabi
            last edited by jrgx19

            @beremonavabi said in pfsense self routing (unable to update/route):

            @jrgx19
            I could be wrong, but it sounds like an issue I brought up a while ago:

            https://forum.netgate.com/topic/115760/firewall-traffic-needs-redirect-gateway-def1-to-route-thru-vpn

            Hopefully, that link will be of some help.

            Thank you @beremonavabi. This did the trick for me. the firewall is now able to route all its traffic via the VPN. The only thing I noticed is that the Gateway for that specific VPN client shows as being Offline. However, the client instance status shows it up/connected/ w/IP. I am also able to route traffic through it. Seems a bit odd

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.