Unable to check for updates (SOLVED)

Jossk · Feb 14, 2023, 12:05 AM

Host "firmware.netgate.com" could not be resolved.

Name Servers:
127.0.0.1 ----> No Response

System > Gen. Setup set to "Use Local DNS, ignore remote DNS Servers".

So I guess I have a misconfiguration in the DNS Resolver, then?

stephenw10 · Feb 14, 2023, 4:03 AM

Yes, I would think so. And you have no other servers configured or being passed? They won't be used with that setting in general setup though.

Jossk · Feb 14, 2023, 4:03 AM

@stephenw10

I added all of my interfaces as DNS servers in General Setup. Only 2 interfaces are having issues, the loopback (127.0.0.1), and one other network.

With any of those added, pfS can check for system updates, and the Package Manager can load the Available Packages.

Knowing that, I'm more inclined to think that the more likely cause is a firewall config.

Cursory glance at my firewall rules doesn't show anything that should block these 2 interfaces.

I'll have to keep investigating.

Thank you for the idea. Now I have a direction and a stop-gap solution until I get it working properly.

stephenw10 · Feb 14, 2023, 1:08 PM

@jossk said in Unable to check for updates (SOLVED):

I added all of my interfaces as DNS servers in General Setup.

Not sure exactly what you did but that's probably not what you want. The list there should contain other remote DNS servers that pfSense itself can use. It doesn't need to contain localhost, that is used anyway. The behaviour it uses those in can be set there but by default it will try localhost (Unbound on the firewall) and fall back to others in the list or servers passed by dhcp.

But since making any change there allowed it to work it's definitely a DNS problem.

Steve

Jossk · Feb 14, 2023, 4:42 PM

@stephenw10

Sorry, I should have clarified. I did that just to test all of my interfaces to see if my other interfaces were working or not. After verifying they worked, I deleted those from the list.

Also, changing to "Use local DNS (127.0.0.1), fall back to remote DNS", it tests localhost without me having to add it manually.

If that's the case, here is screenshots of my DNS Resolver config. Is there anything that stands out that could be the cause?

Note: I have a firewall rule to block external DNS servers. Mostly so IoT devices with hard coded DNS will be forced to use mine.

login-to-view

stephenw10 · Feb 14, 2023, 4:54 PM

Try disabling SSL/TLS for outgoing queries. That should only ever be set in conjunction with forwarding mode.
Also you are filtering responses there using pfBlocker/DNSBL. Check the pfBlocker alerts.

Jossk · Feb 14, 2023, 5:29 PM

@stephenw10

Disabled SSL/TLS for outgoing. No change in DNS Lookup (will leave off).

To be honest, I don't know what I should be looking for in the alerts.

I did try disabling pfBlocker. No change in DNS Lookup.

I can try turning off "Keep Settings", and uninstalling the pfBlocker package.

I'm still confused as to why DNS resolution works on my VLAN interfaces work, while not working on my LAN and loopback.

login-to-view
login-to-view

stephenw10 · Feb 14, 2023, 6:19 PM

Check Status > DNS Resolver after you try to look it up. You should see entries for netgate.com.

Otherwise you can try turning up the logging in Unbound to see the individual queries and failures.

Steve

Jossk · Feb 14, 2023, 7:41 PM

@stephenw10

I see 2 entries for netgate.com.

login-to-view

I also turned up logging to Level 3: Query level information in DNS Resolver > Advanced Settings.

(Keep in mind I still have one of my (working) VLANs in my DNS servers list)

stephenw10 · Feb 14, 2023, 8:13 PM

@jossk said in Unable to check for updates (SOLVED):

I also turned up logging to Level 3: Query level information in DNS Resolver > Advanced Settings.

Do you see failures in the DNS logs?

Jossk · Feb 14, 2023, 8:25 PM

@stephenw10

I think I found the issue. It was this floating firewall rule.

login-to-view

I disabled it (as shown), then tested via DNS Lookup (I also added Quad9 DNS as external DNS to test). All interfaces, including the loopback and the LAN interface are now connecting.

the IP_PublicDNS Alias (link contains list of public IPs). Unfortunately, it also appears to contain a number of private IPs, including 192.168.0.1, & loopback (127.0.0.1).

Now that I think of it, I know of a better way that doesn't use an arbitrary list.

I feel like an idiot for blindly using the list and not properly vetting before using.

Thank you. I appreciate your assistance and patients.

stephenw10 · Feb 14, 2023, 8:35 PM

Yeah, that could easily block outbound requests. Setting direction In would prevent that.

But you probably want to use something that redirects anyway:
https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html

Jossk · Feb 14, 2023, 8:52 PM

@stephenw10

I have that for my IoT subnet. That is the better method to transparently redirect traffic.

I think what happened was I found that list first, then learned how to do that traffic redirection, but neglected to scrap the list & associated rules.

I am perplexed as to why they put private IP addresses, including the reserved loopback on the list.

I just emailed the maintainers of the list to ask them why.

PeterHouse · Feb 28, 2023, 7:04 PM

Unable to check for updates.

I can not see any packages and the notice on my dashboard says "unable to check for updates"

I have tried changing the contents of /usr/local/share/pfSense/pkg/repos/pfSense-repo.conf and soon realized this seemed like the wrong processor for my 2100. Put the file back to original.

$ pkg info pfSense-upgrade

pfSense-upgrade-1.0_29
Name           : pfSense-upgrade
Version        : 1.0_29
Installed on   : Fri Dec 30 12:55:58 2022 EST
Origin         : sysutils/pfSense-upgrade
Architecture   : FreeBSD:12:aarch64
Prefix         : /usr/local
Categories     : sysutils
Licenses       : APACHE20
Maintainer     : coreteam@pfsense.org
WWW            : https://www.pfsense.org/
Comment        : pfSense upgrade script
Annotations    :
	FreeBSD_version: 1203506
	build_timestamp: 2022-11-22T02:25:53+0000
	built_by       : poudriere-git-3.3.99.20220831
	port_checkout_unclean: no
	port_git_hash  : e46d32a272fe
	ports_top_checkout_unclean: yes
	ports_top_git_hash: e46d32a272fe
	repo_type      : binary
	repository     : pfSense
Flat size      : 64.7KiB
Description    :
pfSense upgrade script

WWW: https://www.pfsense.org/

$ pkg-static -d update

DBG(1)[86073]> pkg initialized
Updating pfSense-core repository catalogue...
DBG(1)[86073]> PkgRepo: verifying update for pfSense-core
DBG(1)[86073]> PkgRepo: need forced update of pfSense-core
DBG(1)[86073]> Pkgrepo, begin update of '/var/db/pkg/repo-pfSense-core.sqlite'
DBG(1)[86073]> Request to fetch pkg+https://repo.netgate.com/pkg/pfSense_plus-v23_01_aarch64-core/meta.conf
DBG(1)[86073]> opening libfetch fetcher
DBG(1)[86073]> Fetch > libfetch: connecting
DBG(1)[86073]> Fetch: fetching from: https://repo00.atx.netgate.com/pkg/pfSense_plus-v23_01_aarch64-core/meta.conf with opts "i"
DBG(1)[86073]> Fetch: fetching from: https://repo00.atx.netgate.com/pkg/pfSense_plus-v23_01_aarch64-core/meta.conf with opts "i"
DBG(1)[86073]> Fetch: fetching from: https://repo00.atx.netgate.com/pkg/pfSense_plus-v23_01_aarch64-core/meta.conf with opts "i"
DBG(1)[86073]> Request to fetch pkg+https://repo.netgate.com/pkg/pfSense_plus-v23_01_aarch64-core/meta.txz
DBG(1)[86073]> opening libfetch fetcher
DBG(1)[86073]> Fetch > libfetch: connecting
DBG(1)[86073]> Fetch: fetching from: https://repo00.atx.netgate.com/pkg/pfSense_plus-v23_01_aarch64-core/meta.txz with opts "i"
DBG(1)[86073]> Fetch: fetching from: https://repo00.atx.netgate.com/pkg/pfSense_plus-v23_01_aarch64-core/meta.txz with opts "i"
DBG(1)[86073]> Fetch: fetching from: https://repo00.atx.netgate.com/pkg/pfSense_plus-v23_01_aarch64-core/meta.txz with opts "i"
pkg-static: https://repo00.atx.netgate.com/pkg/pfSense_plus-v23_01_aarch64-core/meta.txz: Service Unavailable
repository pfSense-core has no meta file, using default settings
DBG(1)[86073]> Request to fetch pkg+https://repo.netgate.com/pkg/pfSense_plus-v23_01_aarch64-core/packagesite.pkg
DBG(1)[86073]> opening libfetch fetcher
DBG(1)[86073]> Fetch > libfetch: connecting
DBG(1)[86073]> Fetch: fetching from: https://repo00.atx.netgate.com/pkg/pfSense_plus-v23_01_aarch64-core/packagesite.pkg with opts "i"
DBG(1)[86073]> Fetch: fetching from: https://repo00.atx.netgate.com/pkg/pfSense_plus-v23_01_aarch64-core/packagesite.pkg with opts "i"
DBG(1)[86073]> Fetch: fetching from: https://repo00.atx.netgate.com/pkg/pfSense_plus-v23_01_aarch64-core/packagesite.pkg with opts "i"
pkg-static: https://repo00.atx.netgate.com/pkg/pfSense_plus-v23_01_aarch64-core/packagesite.pkg: Service Unavailable
DBG(1)[86073]> Request to fetch pkg+https://repo.netgate.com/pkg/pfSense_plus-v23_01_aarch64-core/packagesite.txz
DBG(1)[86073]> opening libfetch fetcher
DBG(1)[86073]> Fetch > libfetch: connecting
DBG(1)[86073]> Fetch: fetching from: https://repo00.atx.netgate.com/pkg/pfSense_plus-v23_01_aarch64-core/packagesite.txz with opts "i"
DBG(1)[86073]> Fetch: fetching from: https://repo00.atx.netgate.com/pkg/pfSense_plus-v23_01_aarch64-core/packagesite.txz with opts "i"
DBG(1)[86073]> Fetch: fetching from: https://repo00.atx.netgate.com/pkg/pfSense_plus-v23_01_aarch64-core/packagesite.txz with opts "i"
pkg-static: https://repo00.atx.netgate.com/pkg/pfSense_plus-v23_01_aarch64-core/packagesite.txz: Service Unavailable
Unable to update repository pfSense-core
Updating pfSense repository catalogue...
DBG(1)[86073]> PkgRepo: verifying update for pfSense
DBG(1)[86073]> PkgRepo: need forced update of pfSense
DBG(1)[86073]> Pkgrepo, begin update of '/var/db/pkg/repo-pfSense.sqlite'
DBG(1)[86073]> Request to fetch pkg+https://repo.netgate.com/pkg/pfSense_plus-v23_01_aarch64-pfSense_plus_v23_01/meta.conf
DBG(1)[86073]> opening libfetch fetcher
DBG(1)[86073]> Fetch > libfetch: connecting
DBG(1)[86073]> Fetch: fetching from: https://repo00.atx.netgate.com/pkg/pfSense_plus-v23_01_aarch64-pfSense_plus_v23_01/meta.conf with opts "i"
DBG(1)[86073]> Fetch: fetching from: https://repo00.atx.netgate.com/pkg/pfSense_plus-v23_01_aarch64-pfSense_plus_v23_01/meta.conf with opts "i"
DBG(1)[86073]> Fetch: fetching from: https://repo00.atx.netgate.com/pkg/pfSense_plus-v23_01_aarch64-pfSense_plus_v23_01/meta.conf with opts "i"
DBG(1)[86073]> Request to fetch pkg+https://repo.netgate.com/pkg/pfSense_plus-v23_01_aarch64-pfSense_plus_v23_01/meta.txz
DBG(1)[86073]> opening libfetch fetcher
DBG(1)[86073]> Fetch > libfetch: connecting
DBG(1)[86073]> Fetch: fetching from: https://repo00.atx.netgate.com/pkg/pfSense_plus-v23_01_aarch64-pfSense_plus_v23_01/meta.txz with opts "i"
DBG(1)[86073]> Fetch: fetching from: https://repo00.atx.netgate.com/pkg/pfSense_plus-v23_01_aarch64-pfSense_plus_v23_01/meta.txz with opts "i"
DBG(1)[86073]> Fetch: fetching from: https://repo00.atx.netgate.com/pkg/pfSense_plus-v23_01_aarch64-pfSense_plus_v23_01/meta.txz with opts "i"
pkg-static: https://repo00.atx.netgate.com/pkg/pfSense_plus-v23_01_aarch64-pfSense_plus_v23_01/meta.txz: Service Unavailable
repository pfSense has no meta file, using default settings
DBG(1)[86073]> Request to fetch pkg+https://repo.netgate.com/pkg/pfSense_plus-v23_01_aarch64-pfSense_plus_v23_01/packagesite.pkg
DBG(1)[86073]> opening libfetch fetcher
DBG(1)[86073]> Fetch > libfetch: connecting
DBG(1)[86073]> Fetch: fetching from: https://repo00.atx.netgate.com/pkg/pfSense_plus-v23_01_aarch64-pfSense_plus_v23_01/packagesite.pkg with opts "i"
DBG(1)[86073]> Fetch: fetching from: https://repo00.atx.netgate.com/pkg/pfSense_plus-v23_01_aarch64-pfSense_plus_v23_01/packagesite.pkg with opts "i"
DBG(1)[86073]> Fetch: fetching from: https://repo00.atx.netgate.com/pkg/pfSense_plus-v23_01_aarch64-pfSense_plus_v23_01/packagesite.pkg with opts "i"
pkg-static: https://repo00.atx.netgate.com/pkg/pfSense_plus-v23_01_aarch64-pfSense_plus_v23_01/packagesite.pkg: Service Unavailable
DBG(1)[86073]> Request to fetch pkg+https://repo.netgate.com/pkg/pfSense_plus-v23_01_aarch64-pfSense_plus_v23_01/packagesite.txz
DBG(1)[86073]> opening libfetch fetcher
DBG(1)[86073]> Fetch > libfetch: connecting
DBG(1)[86073]> Fetch: fetching from: https://repo00.atx.netgate.com/pkg/pfSense_plus-v23_01_aarch64-pfSense_plus_v23_01/packagesite.txz with opts "i"
DBG(1)[86073]> Fetch: fetching from: https://repo00.atx.netgate.com/pkg/pfSense_plus-v23_01_aarch64-pfSense_plus_v23_01/packagesite.txz with opts "i"
DBG(1)[86073]> Fetch: fetching from: https://repo00.atx.netgate.com/pkg/pfSense_plus-v23_01_aarch64-pfSense_plus_v23_01/packagesite.txz with opts "i"
pkg-static: https://repo00.atx.netgate.com/pkg/pfSense_plus-v23_01_aarch64-pfSense_plus_v23_01/packagesite.txz: Service Unavailable
Unable to update repository pfSense
Error updating repositories!

Wheat thoroughly mixed with chaff, unable to separate. Any/All help appreciated.

rcoleman-netgate · Feb 28, 2023, 7:13 PM

@peterhouse

Upgrades to 1100/2100 models are suspended while an issue is being fixed
Package updates for 22.05 can be found by changing branch from 23.01 to 22.05 in System->Update

PeterHouse · Feb 28, 2023, 7:23 PM

@rcoleman-netgate Thank you, that works - All I really needed was to see the packages. Any updates can wait until after I get an openVPN configured - what can go wrong now?

KB8DOA · Feb 28, 2023, 8:46 PM

I am stuck AGAIN on ALL of my SG-5100 pfSense+ boxes.

Am stuck on 22.05 and getting "Unable to check for updates"

I do have the Update settings Branch set to 23.01

Can anyone advise on what to do this time?

rcoleman-netgate · Feb 28, 2023, 8:47 PM

@kb8doa What is the output of this command:

cat /usr/local/etc/pkg/repos/pfSense.conf

run at Diagnostics->Command Prompt in the GUI.

KB8DOA · Feb 28, 2023, 8:50 PM

@kb8doa
FreeBSD: { enabled: no }

pfSense-core: {
url: "pkg+https://firmware.netgate.com/pkg/pfSense_plus-v23_01_amd64-core",
mirror_type: "srv",
signature_type: "fingerprints",
fingerprints: "/usr/local/share/pfSense/keys/pkg",
enabled: yes
}

pfSense: {
url: "pkg+https://firmware.netgate.com/pkg/pfSense_plus-v23_01_amd64-pfSense_plus_v23_01",
mirror_type: "srv",
signature_type: "fingerprints",
fingerprints: "/usr/local/share/pfSense/keys/pkg",
enabled: yes
}

stephenw10 · Feb 28, 2023, 9:17 PM

Ok, that is correct. What does pkg-static -d update show?