can't update pfsense or install packages
-
There has to be something in your rules blocking the outgoing connection then, but without a floating rule I'm not sure what it might be coming from. A package, possibly.
Can you post the whole
/tmp/rules.debugfile as a text attachment (e.g. rename it to rules.txt). You can edit out any sensitive IP addresses but please keep the last octet intact and differentiated. For example, you can change 192.168.1.1 to x.x.x.1 and 203.0.113.5 to y.y.y.5 so it's clear they're different subnets. -
Yes, it has to be something blocking it locally. The firewall itself cannot create outbound states.
Do you have outbound NAT set to automatic? If not perhaps you have an overmatching rule doing something odd. That wasn't the same error you saw when it was trying IPv6...
-
-
@stephenw10 outbound NAT Mode is set to automatic
-
Did you ever have rules using those aliases for the Netgate repo servers?
Though you cant even open a state to 1.1.1.1.
Did you ever have Snort/Suricata installed?
-
@stephenw10 u mean aliases for netgate servers ? i don't remember
and i have never installed any package -
Your config contains:
# User Aliases\ table <files01_netgate_com> \{ 208.123.73.209/32 2610:160:11:18::209/128 \}\ files01_netgate_com = "<files01_netgate_com>"\ table <files00_netgate_com> \{ 208.123.73.207/32 2610:160:11:18::207/128 \}\ files00_netgate_com = "<files00_netgate_com>"\ table <pkg01_atx_netgate_com> \{ 208.123.73.209/32 2610:160:11:18::209/128 \}\ pkg01_atx_netgate_com = "<pkg01_atx_netgate_com>"\ table <pkg00_atx_netgate_com> \{ 208.123.73.207/32 2610:160:11:18::207/128 \}\ pkg00_atx_netgate_com = "<pkg00_atx_netgate_com>"\Those are user created but are not currently being used in the ruleset. If at any time they were used it's possible some old rule is somehow still loaded.
Can we assume you have rebooted at some point? That would clear any old rules.
-
@stephenw10 i just rebooted the router but nothing changes
-
So you have those aliases but never used them in a firewall rule?
Do you have an upstream proxy configured?
-
@stephenw10 said in can't update pfsense or install packages:
So you have those aliases but never used them in a firewall rule?
yes
-
@stephenw10 said in can't update pfsense or install packages:
Do you have an upstream proxy configured?
no
-
Ok try this. At the CLI run:
pfctl -dThat will disable the firewall entirely.
Then try to update again:pkg-static -d updateRe-enable the firewall again:
pfctl -e -
@stephenw10 i lost internet completely when i desabled the firewall
-
You would lose it from a client behind the firewall because it also disables NAT but does it allow the firewall to connect to the package servers?
-
@stephenw10 no the firewall update status keeps looking in the dashboard
tired the update from command prompt, no success
package manager is unable to connect to servers -
Does it still show 'permission denied' though with the firewall disabled?
-
@stephenw10 permission denied where ?
-
When you run
pkg-static -d update.Previously you were seeing:
DBG(1)[49613]> Fetch: fetching from: https://pkg00-atx.netgate.com/pfSense_v2_6_0_amd64-core/meta.txz with opts "i4" pkg-static: https://pkg00-atx.netgate.com/pfSense_v2_6_0_amd64-core/meta.txz: Permission deniedAnd similarly in the netcat test:
$nc -vz4 pkg00-atx.netgate.com 443 nc: connect to pkg00-atx.netgate.com port 443 (tcp) failed: Permission deniedSince it can't create states locally it must be something on the firewall doing that.
So if we disable pf and it still shows that error that means it must be something other than pf. Which in 2.6 could really only be ipfw.
But that's only used in the Captive Portal and for Limiters.
So since you're not using Captive Portal, do you have Limiters defined? I don't see any rules passing traffic into pipes if you do. -
@stephenw10 said in can't update pfsense or install packages:
nc -vz4 pkg00-atx.netgate.com 443
after disabling pf i got this
[2.6.0-RELEASE][admin@pfSense.xxx.local]/root: pkg-static -d update DBG(1)[55352]> pkg initialized Updating pfSense-core repository catalogue... DBG(1)[55352]> PkgRepo: verifying update for pfSense-core DBG(1)[55352]> PkgRepo: need forced update of pfSense-core DBG(1)[55352]> Pkgrepo, begin update of '/var/db/pkg/repo-pfSense-core.sqlite' DBG(1)[55352]> Request to fetch pkg+https://packages.netgate.com/pfSense_v2_6_0_amd64-core/meta.conf DBG(1)[55352]> opening libfetch fetcher DBG(1)[55352]> Fetch > libfetch: connecting DBG(1)[55352]> Fetch: fetching from: https://packages.netgate.com/pfSense_v2_6_0_amd64-core/meta.conf with opts "i" DBG(1)[55352]> Fetch: fetching from: https://packages.netgate.com/pfSense_v2_6_0_amd64-core/meta.conf with opts "i" DBG(1)[55352]> Fetch: fetching from: https://packages.netgate.com/pfSense_v2_6_0_amd64-core/meta.conf with opts "i" DBG(1)[55352]> Request to fetch pkg+https://packages.netgate.com/pfSense_v2_6_0_amd64-core/meta.txz DBG(1)[55352]> opening libfetch fetcher DBG(1)[55352]> Fetch > libfetch: connecting DBG(1)[55352]> Fetch: fetching from: https://packages.netgate.com/pfSense_v2_6_0_amd64-core/meta.txz with opts "i" DBG(1)[55352]> Fetch: fetching from: https://packages.netgate.com/pfSense_v2_6_0_amd64-core/meta.txz with opts "i" ^C2.6.0-RELEASE][admin@pfSense.xxx.local]/root: nc -vz4 pkg00-atx.netgate.com 443 nc: getaddrinfo: Name does not resolve -
Ok so a DNS issue. For v4 at least
How is the sytem DNS configured in general setup?
