pfsense self routing (unable to update/route)
-
I am having issues routing pfsense's traffic. all the hosts connected to the firewall route correctly. However, the firewall itself cannot resolve to any site. I am also unable to ping external sites from the firewall itself.
There is also no package information on the available packages tab. The firewall is also unable to pull updates information.My config consist of two VPN connections. All traffic is routed via VPN depending on the type of traffic and which IP it is originating from and where it is being routed to. One of the VPN tunnels is the has been assigned as the default gateway to catch any traffic not specified by a firewall rule.
trying to manually update fails (I realize I am running the latest stable release) :
[2.4.3-RELEASE][root@pfsense.XXXX.tech]/root: pkg update -f Updating pfSense-core repository catalogue... pkg: Repository pfSense-core load error: access repo file(/var/db/pkg/repo-pfSense-core.sqlite) failed: No such file or directory pkg: https://beta.pfsense.org/packages/pfSense_master_amd64-core/meta.txz: No address record repository pfSense-core has no meta file, using default settings pkg: https://beta.pfsense.org/packages/pfSense_master_amd64-core/packagesite.txz: No address record Unable to update repository pfSense-core Updating pfSense repository catalogue... pkg: Repository pfSense load error: access repo file(/var/db/pkg/repo-pfSense.sqlite) failed: No such file or directory pkg: https://beta.pfsense.org/packages/pfSense_master_amd64-pfSense_devel/meta.txz: No address record repository pfSense has no meta file, using default settings pkg: https://beta.pfsense.org/packages/pfSense_master_amd64-pfSense_devel/packagesite.txz: No address record Unable to update repository pfSense Error updating repositories! [2.4.3-RELEASE][root@pfsense.XXXX.tech]/root: pkg upgrade -f Updating pfSense-core repository catalogue... pkg: Repository pfSense-core load error: access repo file(/var/db/pkg/repo-pfSense-core.sqlite) failed: No such file or directory pkg: https://beta.pfsense.org/packages/pfSense_master_amd64-core/meta.txz: No address record repository pfSense-core has no meta file, using default settings pkg: https://beta.pfsense.org/packages/pfSense_master_amd64-core/packagesite.txz: No address record Unable to update repository pfSense-core Updating pfSense repository catalogue... pkg: Repository pfSense load error: access repo file(/var/db/pkg/repo-pfSense.sqlite) failed: No such file or directory pkg: https://beta.pfsense.org/packages/pfSense_master_amd64-pfSense_devel/meta.txz: No address record repository pfSense has no meta file, using default settings pkg: https://beta.pfsense.org/packages/pfSense_master_amd64-pfSense_devel/packagesite.txz: No address record Unable to update repository pfSense Error updating repositories!
pinging google via url fails. pinging google's dns via ip returns a response
[2.4.3-RELEASE][root@pfsense.XXXX.tech]/root: ping -c 3 www.google.com PING www.google.com (172.217.10.68): 56 data bytes 36 bytes from localhost (127.0.0.1): Time to live exceeded Vr HL TOS Len ID Flg off TTL Pro cks Src Dst 4 5 00 0054 e701 0 0000 01 01 0000 127.0.0.1 172.217.10.68 36 bytes from localhost (127.0.0.1): Time to live exceeded Vr HL TOS Len ID Flg off TTL Pro cks Src Dst 4 5 00 0054 e5bd 0 0000 01 01 0000 127.0.0.1 172.217.10.68 36 bytes from localhost (127.0.0.1): Time to live exceeded Vr HL TOS Len ID Flg off TTL Pro cks Src Dst 4 5 00 0054 c72d 0 0000 01 01 0000 127.0.0.1 172.217.10.68 --- www.google.com ping statistics --- 3 packets transmitted, 0 packets received, 100.0% packet loss [2.4.3-RELEASE][root@pfsense.XXXX.tech]/root: ping -c 3 8.8.8.8 PING 8.8.8.8 (8.8.8.8): 56 data bytes 64 bytes from 8.8.8.8: icmp_seq=0 ttl=57 time=23.300 ms 64 bytes from 8.8.8.8: icmp_seq=1 ttl=57 time=20.215 ms 64 bytes from 8.8.8.8: icmp_seq=2 ttl=57 time=23.467 ms --- 8.8.8.8 ping statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 20.215/22.327/23.467/1.495 ms
nslookup to google returns a expected output
[2.4.3-RELEASE][root@pfsense.XXXX.tech]/root: nslookup google.com Server: 127.0.0.1 Address: 127.0.0.1#53 Non-authoritative answer: Name: google.com Address: 172.217.13.174 Name: google.com Address: 2607:f8b0:4020:806::200e
trying to browse to google using curl fails with default interface. It resolves to google if VPN interface is specified
[2.4.3-RELEASE][root@pfsense.XXXX.tech]/root: curl google.com curl: (7) Couldn't connect to server
[2.4.3-RELEASE][root@pfsense.XXXX.tech]/root: curl --interface ovpnc1 google.com <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"> <TITLE>301 Moved</TITLE></HEAD><BODY> <H1>301 Moved</H1> The document has moved <A HREF="http://www.google.com/">here</A>. </BODY></HTML>
here are some of my configs:
[2.4.3-RELEASE][root@pfsense.XXXX.tech]/root: cat /etc/resolv.conf nameserver 127.0.0.1 search XXXX.tech nameserver 1.1.1.1 nameserver 208.67.220.220 nameserver 208.67.222.222 nameserver 8.8.8.8
[2.4.3-RELEASE][root@pfsense.XXXX.tech]/root: cat /usr/local/etc/pkg/repos/pfSense.conf FreeBSD: { enabled: no } pfSense-core: { url: "pkg+https://beta.pfsense.org/packages/pfSense_master_amd64-core", mirror_type: "srv", signature_type: "fingerprints", fingerprints: "/usr/local/share/pfSense/keys/pkg", enabled: yes } pfSense: { url: "pkg+https://beta.pfsense.org/packages/pfSense_master_amd64-pfSense_devel", mirror_type: "srv", signature_type: "fingerprints", fingerprints: "/usr/local/share/pfSense/keys/pkg", enabled: yes }
Here is my GUI DNS server settings. I have played with "DNS Server Override" and "Disable DNS Forwarder" no difference.
Here is my GUI Routing settings:
-
@jrgx19 said in pfsense self routing (unable to update/route):
with default interface. It resolves to google if VPN interface is specified
[2.4.3-RELEASE][root@pfsense.XXXX.tech]/root: curl google.comperhaps you are missing NAT rules for localhost on your VPN interface ?
-
@jrgx19
I could be wrong, but it sounds like an issue I brought up a while ago:https://forum.netgate.com/topic/115760/firewall-traffic-needs-redirect-gateway-def1-to-route-thru-vpn
Hopefully, that link will be of some help.
-
@beremonavabi said in pfsense self routing (unable to update/route):
@jrgx19
I could be wrong, but it sounds like an issue I brought up a while ago:https://forum.netgate.com/topic/115760/firewall-traffic-needs-redirect-gateway-def1-to-route-thru-vpn
Hopefully, that link will be of some help.
Thank you @beremonavabi. This did the trick for me. the firewall is now able to route all its traffic via the VPN. The only thing I noticed is that the Gateway for that specific VPN client shows as being Offline. However, the client instance status shows it up/connected/ w/IP. I am also able to route traffic through it. Seems a bit odd