4. pfsense self routing (unable to update/route)

pfsense self routing (unable to update/route)

  • J

    I am having issues routing pfsense's traffic. all the hosts connected to the firewall route correctly. However, the firewall itself cannot resolve to any site. I am also unable to ping external sites from the firewall itself.
    There is also no package information on the available packages tab. The firewall is also unable to pull updates information.

    My config consist of two VPN connections. All traffic is routed via VPN depending on the type of traffic and which IP it is originating from and where it is being routed to. One of the VPN tunnels is the has been assigned as the default gateway to catch any traffic not specified by a firewall rule.

    trying to manually update fails (I realize I am running the latest stable release) :

    [2.4.3-RELEASE][root@pfsense.XXXX.tech]/root: pkg update -f
Updating pfSense-core repository catalogue...
pkg: Repository pfSense-core load error: access repo file(/var/db/pkg/repo-pfSense-core.sqlite) failed: No such file or directory
pkg: https://beta.pfsense.org/packages/pfSense_master_amd64-core/meta.txz: No address record
repository pfSense-core has no meta file, using default settings
pkg: https://beta.pfsense.org/packages/pfSense_master_amd64-core/packagesite.txz: No address record
Unable to update repository pfSense-core
Updating pfSense repository catalogue...
pkg: Repository pfSense load error: access repo file(/var/db/pkg/repo-pfSense.sqlite) failed: No such file or directory
pkg: https://beta.pfsense.org/packages/pfSense_master_amd64-pfSense_devel/meta.txz: No address record
repository pfSense has no meta file, using default settings
pkg: https://beta.pfsense.org/packages/pfSense_master_amd64-pfSense_devel/packagesite.txz: No address record
Unable to update repository pfSense
Error updating repositories!


[2.4.3-RELEASE][root@pfsense.XXXX.tech]/root: pkg upgrade -f
Updating pfSense-core repository catalogue...
pkg: Repository pfSense-core load error: access repo file(/var/db/pkg/repo-pfSense-core.sqlite) failed: No such file or directory
pkg: https://beta.pfsense.org/packages/pfSense_master_amd64-core/meta.txz: No address record
repository pfSense-core has no meta file, using default settings
pkg: https://beta.pfsense.org/packages/pfSense_master_amd64-core/packagesite.txz: No address record
Unable to update repository pfSense-core
Updating pfSense repository catalogue...
pkg: Repository pfSense load error: access repo file(/var/db/pkg/repo-pfSense.sqlite) failed: No such file or directory
pkg: https://beta.pfsense.org/packages/pfSense_master_amd64-pfSense_devel/meta.txz: No address record
repository pfSense has no meta file, using default settings
pkg: https://beta.pfsense.org/packages/pfSense_master_amd64-pfSense_devel/packagesite.txz: No address record
Unable to update repository pfSense
Error updating repositories!

    pinging google via url fails. pinging google's dns via ip returns a response

    [2.4.3-RELEASE][root@pfsense.XXXX.tech]/root: ping -c 3 www.google.com
PING www.google.com (172.217.10.68): 56 data bytes
36 bytes from localhost (127.0.0.1): Time to live exceeded
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 0054 e701   0 0000  01  01 0000 127.0.0.1  172.217.10.68
36 bytes from localhost (127.0.0.1): Time to live exceeded
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 0054 e5bd   0 0000  01  01 0000 127.0.0.1  172.217.10.68
36 bytes from localhost (127.0.0.1): Time to live exceeded
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 0054 c72d   0 0000  01  01 0000 127.0.0.1  172.217.10.68
--- www.google.com ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss

[2.4.3-RELEASE][root@pfsense.XXXX.tech]/root: ping -c 3 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=57 time=23.300 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=57 time=20.215 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=57 time=23.467 ms
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 20.215/22.327/23.467/1.495 ms

    nslookup to google returns a expected output

    [2.4.3-RELEASE][root@pfsense.XXXX.tech]/root: nslookup google.com
Server:         127.0.0.1
Address:        127.0.0.1#53
Non-authoritative answer:
Name:   google.com
Address: 172.217.13.174
Name:   google.com
Address: 2607:f8b0:4020:806::200e

    trying to browse to google using curl fails with default interface. It resolves to google if VPN interface is specified

    [2.4.3-RELEASE][root@pfsense.XXXX.tech]/root: curl google.com
curl: (7) Couldn't connect to server

    [2.4.3-RELEASE][root@pfsense.XXXX.tech]/root: curl --interface ovpnc1 google.com
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="http://www.google.com/">here</A>.
</BODY></HTML>

    here are some of my configs:

    [2.4.3-RELEASE][root@pfsense.XXXX.tech]/root: cat /etc/resolv.conf
nameserver 127.0.0.1
search XXXX.tech
nameserver 1.1.1.1
nameserver 208.67.220.220
nameserver 208.67.222.222
nameserver 8.8.8.8

    [2.4.3-RELEASE][root@pfsense.XXXX.tech]/root: cat /usr/local/etc/pkg/repos/pfSense.conf
FreeBSD: { enabled: no }

pfSense-core: {
  url: "pkg+https://beta.pfsense.org/packages/pfSense_master_amd64-core",
  mirror_type: "srv",
  signature_type: "fingerprints",
  fingerprints: "/usr/local/share/pfSense/keys/pkg",
  enabled: yes
}

pfSense: {
  url: "pkg+https://beta.pfsense.org/packages/pfSense_master_amd64-pfSense_devel",
  mirror_type: "srv",
  signature_type: "fingerprints",
  fingerprints: "/usr/local/share/pfSense/keys/pkg",
  enabled: yes
}

    Here is my GUI DNS server settings. I have played with "DNS Server Override" and "Disable DNS Forwarder" no difference.

    0_1528449139107_dns_server.png

    Here is my GUI Routing settings:

    0_1528448051924_routing.png

    0 1 Reply
  • H

    @jrgx19 said in pfsense self routing (unable to update/route):

    with default interface. It resolves to google if VPN interface is specified
    [2.4.3-RELEASE][root@pfsense.XXXX.tech]/root: curl google.com

    perhaps you are missing NAT rules for localhost on your VPN interface ?

    0

  • @jrgx19
    I could be wrong, but it sounds like an issue I brought up a while ago:

    https://forum.netgate.com/topic/115760/firewall-traffic-needs-redirect-gateway-def1-to-route-thru-vpn

    Hopefully, that link will be of some help.

    1
    J
     1 Reply
  • J

    @beremonavabi said in pfsense self routing (unable to update/route):

    @jrgx19
    I could be wrong, but it sounds like an issue I brought up a while ago:

    https://forum.netgate.com/topic/115760/firewall-traffic-needs-redirect-gateway-def1-to-route-thru-vpn

    Hopefully, that link will be of some help.

    Thank you @beremonavabi. This did the trick for me. the firewall is now able to route all its traffic via the VPN. The only thing I noticed is that the Gateway for that specific VPN client shows as being Offline. However, the client instance status shows it up/connected/ w/IP. I am also able to route traffic through it. Seems a bit odd

    0
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy