pfsense self routing (unable to update/route)



  • I am having issues routing pfsense’s traffic. all the hosts connected to the firewall route correctly. However, the firewall itself cannot resolve to any site. I am also unable to ping external sites from the firewall itself.
    There is also no package information on the available packages tab. The firewall is also unable to pull updates information.

    My config consist of two VPN connections. All traffic is routed via VPN depending on the type of traffic and which IP it is originating from and where it is being routed to. One of the VPN tunnels is the has been assigned as the default gateway to catch any traffic not specified by a firewall rule.

    trying to manually update fails (I realize I am running the latest stable release) :

    [2.4.3-RELEASE][root@pfsense.XXXX.tech]/root: pkg update -f
    Updating pfSense-core repository catalogue...
    pkg: Repository pfSense-core load error: access repo file(/var/db/pkg/repo-pfSense-core.sqlite) failed: No such file or directory
    pkg: https://beta.pfsense.org/packages/pfSense_master_amd64-core/meta.txz: No address record
    repository pfSense-core has no meta file, using default settings
    pkg: https://beta.pfsense.org/packages/pfSense_master_amd64-core/packagesite.txz: No address record
    Unable to update repository pfSense-core
    Updating pfSense repository catalogue...
    pkg: Repository pfSense load error: access repo file(/var/db/pkg/repo-pfSense.sqlite) failed: No such file or directory
    pkg: https://beta.pfsense.org/packages/pfSense_master_amd64-pfSense_devel/meta.txz: No address record
    repository pfSense has no meta file, using default settings
    pkg: https://beta.pfsense.org/packages/pfSense_master_amd64-pfSense_devel/packagesite.txz: No address record
    Unable to update repository pfSense
    Error updating repositories!
    
    
    [2.4.3-RELEASE][root@pfsense.XXXX.tech]/root: pkg upgrade -f
    Updating pfSense-core repository catalogue...
    pkg: Repository pfSense-core load error: access repo file(/var/db/pkg/repo-pfSense-core.sqlite) failed: No such file or directory
    pkg: https://beta.pfsense.org/packages/pfSense_master_amd64-core/meta.txz: No address record
    repository pfSense-core has no meta file, using default settings
    pkg: https://beta.pfsense.org/packages/pfSense_master_amd64-core/packagesite.txz: No address record
    Unable to update repository pfSense-core
    Updating pfSense repository catalogue...
    pkg: Repository pfSense load error: access repo file(/var/db/pkg/repo-pfSense.sqlite) failed: No such file or directory
    pkg: https://beta.pfsense.org/packages/pfSense_master_amd64-pfSense_devel/meta.txz: No address record
    repository pfSense has no meta file, using default settings
    pkg: https://beta.pfsense.org/packages/pfSense_master_amd64-pfSense_devel/packagesite.txz: No address record
    Unable to update repository pfSense
    Error updating repositories!
    

    pinging google via url fails. pinging google’s dns via ip returns a response

    [2.4.3-RELEASE][root@pfsense.XXXX.tech]/root: ping -c 3 www.google.com
    PING www.google.com (172.217.10.68): 56 data bytes
    36 bytes from localhost (127.0.0.1): Time to live exceeded
    Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
     4  5  00 0054 e701   0 0000  01  01 0000 127.0.0.1  172.217.10.68
    36 bytes from localhost (127.0.0.1): Time to live exceeded
    Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
     4  5  00 0054 e5bd   0 0000  01  01 0000 127.0.0.1  172.217.10.68
    36 bytes from localhost (127.0.0.1): Time to live exceeded
    Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
     4  5  00 0054 c72d   0 0000  01  01 0000 127.0.0.1  172.217.10.68
    --- www.google.com ping statistics ---
    3 packets transmitted, 0 packets received, 100.0% packet loss
    
    [2.4.3-RELEASE][root@pfsense.XXXX.tech]/root: ping -c 3 8.8.8.8
    PING 8.8.8.8 (8.8.8.8): 56 data bytes
    64 bytes from 8.8.8.8: icmp_seq=0 ttl=57 time=23.300 ms
    64 bytes from 8.8.8.8: icmp_seq=1 ttl=57 time=20.215 ms
    64 bytes from 8.8.8.8: icmp_seq=2 ttl=57 time=23.467 ms
    --- 8.8.8.8 ping statistics ---
    3 packets transmitted, 3 packets received, 0.0% packet loss
    round-trip min/avg/max/stddev = 20.215/22.327/23.467/1.495 ms
    

    nslookup to google returns a expected output

    [2.4.3-RELEASE][root@pfsense.XXXX.tech]/root: nslookup google.com
    Server:         127.0.0.1
    Address:        127.0.0.1#53
    Non-authoritative answer:
    Name:   google.com
    Address: 172.217.13.174
    Name:   google.com
    Address: 2607:f8b0:4020:806::200e
    

    trying to browse to google using curl fails with default interface. It resolves to google if VPN interface is specified

    [2.4.3-RELEASE][root@pfsense.XXXX.tech]/root: curl google.com
    curl: (7) Couldn't connect to server
    
    [2.4.3-RELEASE][root@pfsense.XXXX.tech]/root: curl --interface ovpnc1 google.com
    <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
    <TITLE>301 Moved</TITLE></HEAD><BODY>
    <H1>301 Moved</H1>
    The document has moved
    <A HREF="http://www.google.com/">here</A>.
    </BODY></HTML>
    

    here are some of my configs:

    [2.4.3-RELEASE][root@pfsense.XXXX.tech]/root: cat /etc/resolv.conf
    nameserver 127.0.0.1
    search XXXX.tech
    nameserver 1.1.1.1
    nameserver 208.67.220.220
    nameserver 208.67.222.222
    nameserver 8.8.8.8
    
    [2.4.3-RELEASE][root@pfsense.XXXX.tech]/root: cat /usr/local/etc/pkg/repos/pfSense.conf
    FreeBSD: { enabled: no }
    
    pfSense-core: {
      url: "pkg+https://beta.pfsense.org/packages/pfSense_master_amd64-core",
      mirror_type: "srv",
      signature_type: "fingerprints",
      fingerprints: "/usr/local/share/pfSense/keys/pkg",
      enabled: yes
    }
    
    pfSense: {
      url: "pkg+https://beta.pfsense.org/packages/pfSense_master_amd64-pfSense_devel",
      mirror_type: "srv",
      signature_type: "fingerprints",
      fingerprints: "/usr/local/share/pfSense/keys/pkg",
      enabled: yes
    }
    

    Here is my GUI DNS server settings. I have played with “DNS Server Override” and “Disable DNS Forwarder” no difference.

    0_1528449139107_dns_server.png

    Here is my GUI Routing settings:

    0_1528448051924_routing.png



  • @jrgx19 said in pfsense self routing (unable to update/route):

    with default interface. It resolves to google if VPN interface is specified
    [2.4.3-RELEASE][root@pfsense.XXXX.tech]/root: curl google.com

    perhaps you are missing NAT rules for localhost on your VPN interface ?



  • @jrgx19
    I could be wrong, but it sounds like an issue I brought up a while ago:

    https://forum.netgate.com/topic/115760/firewall-traffic-needs-redirect-gateway-def1-to-route-thru-vpn

    Hopefully, that link will be of some help.



  • @beremonavabi said in pfsense self routing (unable to update/route):

    @jrgx19
    I could be wrong, but it sounds like an issue I brought up a while ago:

    https://forum.netgate.com/topic/115760/firewall-traffic-needs-redirect-gateway-def1-to-route-thru-vpn

    Hopefully, that link will be of some help.

    Thank you @beremonavabi. This did the trick for me. the firewall is now able to route all its traffic via the VPN. The only thing I noticed is that the Gateway for that specific VPN client shows as being Offline. However, the client instance status shows it up/connected/ w/IP. I am also able to route traffic through it. Seems a bit odd


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy