can't update pfsense or install packages
-
Your config contains:
# User Aliases\ table <files01_netgate_com> \{ 208.123.73.209/32 2610:160:11:18::209/128 \}\ files01_netgate_com = "<files01_netgate_com>"\ table <files00_netgate_com> \{ 208.123.73.207/32 2610:160:11:18::207/128 \}\ files00_netgate_com = "<files00_netgate_com>"\ table <pkg01_atx_netgate_com> \{ 208.123.73.209/32 2610:160:11:18::209/128 \}\ pkg01_atx_netgate_com = "<pkg01_atx_netgate_com>"\ table <pkg00_atx_netgate_com> \{ 208.123.73.207/32 2610:160:11:18::207/128 \}\ pkg00_atx_netgate_com = "<pkg00_atx_netgate_com>"\Those are user created but are not currently being used in the ruleset. If at any time they were used it's possible some old rule is somehow still loaded.
Can we assume you have rebooted at some point? That would clear any old rules.
-
@stephenw10 i just rebooted the router but nothing changes
-
So you have those aliases but never used them in a firewall rule?
Do you have an upstream proxy configured?
-
@stephenw10 said in can't update pfsense or install packages:
So you have those aliases but never used them in a firewall rule?
yes
-
@stephenw10 said in can't update pfsense or install packages:
Do you have an upstream proxy configured?
no
-
Ok try this. At the CLI run:
pfctl -dThat will disable the firewall entirely.
Then try to update again:pkg-static -d updateRe-enable the firewall again:
pfctl -e -
@stephenw10 i lost internet completely when i desabled the firewall
-
You would lose it from a client behind the firewall because it also disables NAT but does it allow the firewall to connect to the package servers?
-
@stephenw10 no the firewall update status keeps looking in the dashboard
tired the update from command prompt, no success
package manager is unable to connect to servers -
Does it still show 'permission denied' though with the firewall disabled?
-
@stephenw10 permission denied where ?
-
When you run
pkg-static -d update.Previously you were seeing:
DBG(1)[49613]> Fetch: fetching from: https://pkg00-atx.netgate.com/pfSense_v2_6_0_amd64-core/meta.txz with opts "i4" pkg-static: https://pkg00-atx.netgate.com/pfSense_v2_6_0_amd64-core/meta.txz: Permission deniedAnd similarly in the netcat test:
$nc -vz4 pkg00-atx.netgate.com 443 nc: connect to pkg00-atx.netgate.com port 443 (tcp) failed: Permission deniedSince it can't create states locally it must be something on the firewall doing that.
So if we disable pf and it still shows that error that means it must be something other than pf. Which in 2.6 could really only be ipfw.
But that's only used in the Captive Portal and for Limiters.
So since you're not using Captive Portal, do you have Limiters defined? I don't see any rules passing traffic into pipes if you do. -
@stephenw10 said in can't update pfsense or install packages:
nc -vz4 pkg00-atx.netgate.com 443
after disabling pf i got this
[2.6.0-RELEASE][admin@pfSense.xxx.local]/root: pkg-static -d update DBG(1)[55352]> pkg initialized Updating pfSense-core repository catalogue... DBG(1)[55352]> PkgRepo: verifying update for pfSense-core DBG(1)[55352]> PkgRepo: need forced update of pfSense-core DBG(1)[55352]> Pkgrepo, begin update of '/var/db/pkg/repo-pfSense-core.sqlite' DBG(1)[55352]> Request to fetch pkg+https://packages.netgate.com/pfSense_v2_6_0_amd64-core/meta.conf DBG(1)[55352]> opening libfetch fetcher DBG(1)[55352]> Fetch > libfetch: connecting DBG(1)[55352]> Fetch: fetching from: https://packages.netgate.com/pfSense_v2_6_0_amd64-core/meta.conf with opts "i" DBG(1)[55352]> Fetch: fetching from: https://packages.netgate.com/pfSense_v2_6_0_amd64-core/meta.conf with opts "i" DBG(1)[55352]> Fetch: fetching from: https://packages.netgate.com/pfSense_v2_6_0_amd64-core/meta.conf with opts "i" DBG(1)[55352]> Request to fetch pkg+https://packages.netgate.com/pfSense_v2_6_0_amd64-core/meta.txz DBG(1)[55352]> opening libfetch fetcher DBG(1)[55352]> Fetch > libfetch: connecting DBG(1)[55352]> Fetch: fetching from: https://packages.netgate.com/pfSense_v2_6_0_amd64-core/meta.txz with opts "i" DBG(1)[55352]> Fetch: fetching from: https://packages.netgate.com/pfSense_v2_6_0_amd64-core/meta.txz with opts "i" ^C2.6.0-RELEASE][admin@pfSense.xxx.local]/root: nc -vz4 pkg00-atx.netgate.com 443 nc: getaddrinfo: Name does not resolve -
Ok so a DNS issue. For v4 at least
How is the sytem DNS configured in general setup?
-
@stephenw10 im using a local pihole server, but i did try google & cloudflare dns servers with no luck
do you want me to run some tests ? -
Yes, some testing is needed in pfSense.
But first confirm how pfSense is configured for DNS in General Setup. Is it using only the pihole?
-
@stephenw10 sorry for the late responce, yes under "system / general setup" i have set up one dns server (my local pi-hole)
-
But what is 'DNS Resolution Behavior' set to? Is it actually using the configured server? By default it will only use that if Unbound doesn't reply on localhost.
-
-
Ok, so it's trying to use localhost (Unbound). It should fall back to the pihole if that fails but try setting that to 'Use remote DNS servers' and see if that changes anything.
