Since 3 days: Unable to check for updates



  • on both systems.

    2.0-BETA4 (i386) built on Sat Dec 11 05:06:09 EST 2010
    2.0-BETA4 (amd64) built on Mon Dec 13 02:50:04 UTC 2010



  • I haven't updated in a while. When this thing happened to me it was because the pfSense boxes were missing default routes. What is the output of the shell command:  netstat -rn

    Did you update firmware or was it a fresh install?



  • Route is working.
    But "telnet snapshots.pfsense.org 80" is not responding.
    From LAN i can open http://snapshots.pfsense.org.

    [2.0-BETA4][admin@pfsense.hq2.local]/root(11): traceroute -n -w 1 snapshots.pfsense.org
    traceroute to snapshots.pfsense.org (69.64.6.6), 64 hops max, 52 byte packets
    1  10.125.0.1  6.266 ms  7.577 ms  5.947 ms
    2  80.69.102.241  8.566 ms  5.506 ms  8.476 ms
    3  80.69.107.105  6.075 ms  11.500 ms  6.988 ms
    4  80.69.107.101  13.969 ms  7.700 ms  8.192 ms
    5  80.69.107.201  52.649 ms  8.945 ms  7.664 ms
    6  213.203.213.13  9.002 ms  19.210 ms  8.583 ms
    7  212.162.49.33  8.676 ms  9.255 ms  10.199 ms
    8  4.69.139.1  12.052 ms  9.804 ms  8.545 ms
    9  4.69.143.166  13.255 ms
        4.69.143.174  11.585 ms *
    10  4.69.137.50  102.425 ms
        4.69.137.54  100.727 ms
        4.69.137.62  100.581 ms
    11  4.69.143.222  104.349 ms  102.443 ms  102.442 ms
    12  4.69.143.213  102.473 ms  104.601 ms  101.215 ms
    13  4.69.148.105  119.646 ms  123.892 ms  126.509 ms
    14  4.69.138.3  117.937 ms
        4.69.138.19  114.033 ms
        4.69.138.3  120.528 ms
    15  4.69.140.229  123.030 ms  122.178 ms  123.839 ms
    16  4.69.140.225  121.026 ms  118.301 ms  121.373 ms
    17  4.69.140.221  126.844 ms  127.826 ms  126.471 ms
    18  4.69.140.217  126.489 ms  124.715 ms  123.524 ms
    19  4.59.184.6  130.320 ms  130.337 ms  132.088 ms

    #System aliases
    
    loopback = "{ lo0 }"
    FRITZNET = "{ em0 }"
    LAN = "{ re0 }"
    CABLE = "{ em1 }"
    TDSL = "{ pppoe0 }"
    pptp = "{ pptp }"
    IPsec = "{ enc0 }"
    OpenVPN = "{ openvpn }"
    Internet = "{ Internet }"
    
    #SSH Lockout Table
    table <sshlockout>persist
    table <webconfiguratorlockout>persist
    #Snort2C table
    table <snort2c>table <virusprot># User Aliases
    table <localnet>{   10.19.8.0/22 }
    LocalNet = "<localnet>"
    table <privatenetworks>{   192.168.0.0/16  172.16.0.0/12  10.0.0.0/8 }
    PrivateNetworks = "<privatenetworks>"
    table <remotenet>{   10.19.0.0/22 }
    RemoteNet = "<remotenet>"
    
    # Gateways
    GWL3_Switch = " route-to ( re0 10.19.9.1 ) "
    GWCABLE = " route-to ( em1 178.202.184.1 ) "
    GWFritzbox = " route-to ( em0 192.168.178.1 ) "
    GWTDSL = " route-to ( pppoe0 217.0.118.161 ) "
    GWInternet_GW = "  route-to { ( em1 178.202.184.1 )  }  "
    
    set loginterface em0
    set loginterface re0
    set loginterface em1
    set loginterface pppoe0
    set optimization normal
    set limit states 96000
    set limit src-nodes 96000
    
    set skip on pfsync0
    
    scrub in on $FRITZNET all  random-id  fragment reassemble
    scrub in on $LAN all  random-id  fragment reassemble
    scrub in on $CABLE all  random-id  fragment reassemble
    scrub in on $TDSL all  random-id  fragment reassemble
    
    nat-anchor "natearly/*"
    nat-anchor "natrules/*"
    
    # Outbound NAT rules
    nat on $CABLE  from any to any -> 178.202.184.244/32 port 1024:65535
    nat on $TDSL  from any to any -> 79.212.38.103/32 port 1024:65535
    nat on $CABLE  proto udp from any to any port 500 -> 178.202.184.244/32 static-port
    nat on $TDSL  proto udp from any to any port 500 -> 79.212.38.103/32 static-port
    
    # Load balancing anchor
    rdr-anchor "relayd/*"
    # TFTP proxy
    rdr-anchor "tftp-proxy/*"
    table <vpns>{ 10.19.0.0/22 }
    table <direct_networks>{ 192.168.178.0/24 10.19.9.0/24 178.202.184.0/23 79.212.38.103/32 10.10.10.10/32 }
    # UPnPd rdr anchor
    rdr-anchor "miniupnpd"
    
    anchor "relayd/*"
    #---------------------------------------------------------------------------
    # default deny rules
    #---------------------------------------------------------------------------
    block in log all label "Default deny rule"
    block out log all label "Default deny rule"
    
    # We use the mighty pf, we cannot be fooled.
    block quick proto { tcp, udp } from any port = 0 to any
    block quick proto { tcp, udp } from any to any port = 0
    
    # Block all IPv6
    block in quick inet6 all
    block out quick inet6 all
    
    # snort2c
    block quick from <snort2c>to any label "Block snort2c hosts"
    block quick from any to <snort2c>label "Block snort2c hosts"
    
    # SSH lockout
    block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"
    
    # webConfigurator lockout
    block in log quick proto tcp from <webconfiguratorlockout>to any port 443 label "webConfiguratorlockout"
    block in quick from <virusprot>to any label "virusprot overload table"
    table <bogons>persist file "/etc/bogons"
    # block bogon networks
    # http://www.cymru.com/Documents/bogon-bn-nonagg.txt
    block in log quick on $FRITZNET from <bogons>to any label "block bogon networks from FRITZNET"
    antispoof for em0
    antispoof for re0
    # block bogon networks
    # http://www.cymru.com/Documents/bogon-bn-nonagg.txt
    block in log quick on $CABLE from <bogons>to any label "block bogon networks from CABLE"
    antispoof for em1
    # allow our DHCP client out to the CABLE
    pass in on $CABLE proto udp from any port = 67 to any port = 68 label "allow dhcp client out CABLE"
    pass out on $CABLE proto udp from any port = 68 to any port = 67 label "allow dhcp client out CABLE"
    # Not installing DHCP server firewall rules for CABLE which is configured for DHCP.
    # block bogon networks
    # http://www.cymru.com/Documents/bogon-bn-nonagg.txt
    block in log quick on $TDSL from <bogons>to any label "block bogon networks from TDSL"
    antispoof for pppoe0
    # block anything from private networks on interfaces with the option set
    antispoof for $TDSL
    block in log quick on $TDSL from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
    block in log quick on $TDSL from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
    block in log quick on $TDSL from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
    block in log quick on $TDSL from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"
    
    # loopback
    pass in on $loopback all label "pass loopback"
    pass out on $loopback all label "pass loopback"
    
    # let out anything from the firewall host itself and decrypted IPsec traffic
    pass out all keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to ( em0 192.168.178.1 ) from 192.168.178.99 to !192.168.178.0/24 keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to ( em1 178.202.184.1 ) from 178.202.184.244 to !178.202.184.0/23 keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to ( pppoe0 217.0.118.161 ) from 79.212.38.103 to !79.212.38.103/32 keep state allow-opts label "let out anything from firewall host itself"
    pass out on $IPsec all keep state label "IPsec internal host to host"
    # make sure the user cannot lock himself out of the webConfigurator or SSH
    pass in quick on re0 proto tcp from any to (re0) port { 80 443  22 } keep state label "anti-lockout rule"
    # PPTPd rules
    pass in on $FRITZNET proto tcp from any to 192.168.178.99 port = 1723 modulate state label "allow pptpd 192.168.178.99"
    
    # User-defined rules follow
    pass  in  quick  on $LAN  from   $LocalNet to   $PrivateNetworks keep state  label "USER_RULE: Allow traffic to private networks"
    pass  in  quick  on $LAN  $GWInternet_GW  from   $LocalNet to  ! $PrivateNetworks keep state  label "USER_RULE: Allow LAN to internet rule"
    pass  in  quick  on $Internet  proto esp  from any to any keep state  label "USER_RULE: IPSEC ESP"
    pass  in  quick  on $Internet  proto udp  from any to any port 500  keep state  label "USER_RULE: IPSEC UDP 500"
    pass  in  quick  on $Internet  proto tcp  from any to any port 443  flags S/SA keep state  label "USER_RULE: HTTPS"
    pass  in  quick  on $Internet  proto gre  from any to any keep state  label "USER_RULE: PPTP GRE"
    pass  in  quick  on $Internet  proto tcp  from any to any port 1723  flags S/SA keep state  label "USER_RULE: PPTP TCP"
    pass  in  quick  on $Internet  inet proto icmp  from any to any icmp-type echoreq keep state  label "USER_RULE: PING"
    pass  in  quick  on $Internet  proto tcp  from any to any port 22  flags S/SA keep state  label "USER_RULE: SSH"
    pass  in  quick  on $IPsec  from any to   10.19.8.0/22 keep state  label "USER_RULE"
    pass  in  quick  on $pptp  from any to   10.19.8.0/22 keep state  label "USER_RULE"
    
    # VPN Rules
    pass out on $CABLE  route-to ( em1 178.202.184.1 )  proto udp from any to 178.26.171.103 port = 500 keep state label \"IPsec: KWH - outbound isakmp\"
    pass in on $CABLE  reply-to ( em1 178.202.184.1 )  proto udp from 178.26.171.103 to any port = 500 keep state label \"IPsec: KWH - inbound isakmp\"
    pass out on $CABLE  route-to ( em1 178.202.184.1 )  proto esp from any to 178.26.171.103 keep state label \"IPsec: KWH - outbound esp proto\"
    pass in on $CABLE  reply-to ( em1 178.202.184.1 )  proto esp from 178.26.171.103 to any keep state label \"IPsec: KWH - inbound esp proto\"
    anchor "tftp-proxy/*"
    
    # uPnPd
    anchor "miniupnpd"</bogons></bogons></bogons></bogons></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c></direct_networks></vpns></remotenet></remotenet></privatenetworks></privatenetworks></localnet></localnet></virusprot></snort2c></webconfiguratorlockout></sshlockout> 
    


  • Some more info from packet capture.

    [2.0-BETA4][admin@pfsense.hq1.local]/root(8): telnet snapshots.pfsense.org 80
    Trying 69.64.6.6…
    telnet: connect to address 69.64.6.6: Operation timed out
    telnet: Unable to connect to remote host

    17:52:43.442120 00:0f:c9:04:db:6f > 00:01:5c:31:0d:80, ethertype IPv4 (0x0800), length 74: (tos 0x10, ttl 64, id 3836, offset 0, flags [DF], proto TCP (6), length 60)
        178.26.171.103.27769 > 69.64.6.6.80: Flags [s], cksum 0xd7ef (incorrect -> 0x6bbc), seq 2475046977, win 65228, options [mss 1460,nop,wscale 3,sackOK,TS val 150860580 ecr 0], length 0
    17:52:46.441518 00:0f:c9:04:db:6f > 00:01:5c:31:0d:80, ethertype IPv4 (0x0800), length 74: (tos 0x10, ttl 64, id 35871, offset 0, flags [DF], proto TCP (6), length 60)
        178.26.171.103.27769 > 69.64.6.6.80: Flags [s], cksum 0xd7ef (incorrect -> 0x6004), seq 2475046977, win 65228, options [mss 1460,nop,wscale 3,sackOK,TS val 150863580 ecr 0], length 0
    17:52:49.641525 00:0f:c9:04:db:6f > 00:01:5c:31:0d:80, ethertype IPv4 (0x0800), length 74: (tos 0x10, ttl 64, id 51717, offset 0, flags [DF], proto TCP (6), length 60)
        178.26.171.103.27769 > 69.64.6.6.80: Flags [s], cksum 0xd7ef (incorrect -> 0x5384), seq 2475046977, win 65228, options [mss 1460,nop,wscale 3,sackOK,TS val 150866780 ecr 0], length 0
    17:52:52.841553 00:0f:c9:04:db:6f > 00:01:5c:31:0d:80, ethertype IPv4 (0x0800), length 62: (tos 0x10, ttl 64, id 36006, offset 0, flags [DF], proto TCP (6), length 48)
        178.26.171.103.27769 > 69.64.6.6.80: Flags [s], cksum 0xd7e3 (incorrect -> 0xa3fa), seq 2475046977, win 65228, options [mss 1460,sackOK,eol], length 0
    17:52:56.041532 00:0f:c9:04:db:6f > 00:01:5c:31:0d:80, ethertype IPv4 (0x0800), length 62: (tos 0x10, ttl 64, id 65414, offset 0, flags [DF], proto TCP (6), length 48)
        178.26.171.103.27769 > 69.64.6.6.80: Flags [s], cksum 0xd7e3 (incorrect -> 0xa3fa), seq 2475046977, win 65228, options [mss 1460,sackOK,eol], length 0
    17:52:59.241529 00:0f:c9:04:db:6f > 00:01:5c:31:0d:80, ethertype IPv4 (0x0800), length 62: (tos 0x10, ttl 64, id 51073, offset 0, flags [DF], proto TCP (6), length 48)
        178.26.171.103.27769 > 69.64.6.6.80: Flags [s], cksum 0xd7e3 (incorrect -> 0xa3fa), seq 2475046977, win 65228, options [mss 1460,sackOK,eol], length 0
    17:53:05.441530 00:0f:c9:04:db:6f > 00:01:5c:31:0d:80, ethertype IPv4 (0x0800), length 62: (tos 0x10, ttl 64, id 9832, offset 0, flags [DF], proto TCP (6), length 48)
        178.26.171.103.27769 > 69.64.6.6.80: Flags [s], cksum 0xd7e3 (incorrect -> 0xa3fa), seq 2475046977, win 65228, options [mss 1460,sackOK,eol], length 0
    17:53:17.641545 00:0f:c9:04:db:6f > 00:01:5c:31:0d:80, ethertype IPv4 (0x0800), length 62: (tos 0x10, ttl 64, id 41951, offset 0, flags [DF], proto TCP (6), length 48)
        178.26.171.103.27769 > 69.64.6.6.80: Flags [s], cksum 0xd7e3 (incorrect -> 0xa3fa), seq 2475046977, win 65228, options [mss 1460,sackOK,eol], length 0
    17:53:41.841542 00:0f:c9:04:db:6f > 00:01:5c:31:0d:80, ethertype IPv4 (0x0800), length 62: (tos 0x10, ttl 64, id 36724, offset 0, flags [DF], proto TCP (6), length 48)
        178.26.171.103.27769 > 69.64.6.6.80: Flags [s], cksum 0xd7e3 (incorrect -> 0xa3fa), seq 2475046977, win 65228, options [mss 1460,sackOK,eol], length 0
    						[/s][/s][/s][/s][/s][/s][/s][/s][/s]
    

  • Rebel Alliance Developer Netgate

    Look at ifconfig -a, arp -a, and netstat -rn

    What has the MAC of  00:01:5c:31:0d:80 ?

    Does a capture of a LAN host going to the snapshots site also look the same?



  • 00:01:5c:31:0d:80 is the cable provider gateway

    ifconfig -a

    em0: flags=8802 <broadcast,simplex,multicast>metric 0 mtu 1500
            options=219b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,tso4,wol_magic>ether 00:0f:c9:04:db:6a
            media: Ethernet autoselect
            status: no carrier
    em1: flags=8802 <broadcast,simplex,multicast>metric 0 mtu 1500
            options=219b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,tso4,wol_magic>ether 00:0f:c9:04:db:6b
            media: Ethernet autoselect
            status: no carrier
    em2: flags=8802 <broadcast,simplex,multicast>metric 0 mtu 1500
            options=219b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,tso4,wol_magic>ether 00:0f:c9:04:db:6c
            media: Ethernet autoselect
            status: no carrier
    em3: flags=8802 <broadcast,simplex,multicast>metric 0 mtu 1500
            options=219b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,tso4,wol_magic>ether 00:0f:c9:04:db:6d
            media: Ethernet autoselect
            status: no carrier
    em4: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
            options=2098 <vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic>ether 00:0f:c9:04:db:6e
            inet 10.19.0.10 netmask 0xffffff00 broadcast 10.19.0.255
            inet6 fe80::20f:c9ff:fe04:db6e%em4 prefixlen 64 scopeid 0x5
            nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>)
            status: active
    em5: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
            options=2098 <vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic>ether 00:0f:c9:04:db:6f
            inet6 fe80::20f:c9ff:fe04:db6f%em5 prefixlen 64 scopeid 0x6
            inet 178.26.171.103 netmask 0xfffffc00 broadcast 178.26.171.255
            inet 192.168.100.199 netmask 0xffffff00 broadcast 192.168.100.255
            nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>)
            status: active
    pflog0: flags=100 <promisc>metric 0 mtu 33128
    enc0: flags=0<> metric 0 mtu 1536
    lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
            options=3 <rxcsum,txcsum>inet 127.0.0.1 netmask 0xff000000
            inet6 ::1 prefixlen 128
            inet6 fe80::1%lo0 prefixlen 64 scopeid 0x9
            nd6 options=3 <performnud,accept_rtadv>pfsync0: flags=0<> metric 0 mtu 1460
            syncpeer: 224.0.0.240 maxupd: 128</performnud,accept_rtadv></rxcsum,txcsum></up,loopback,running,multicast></promisc></full-duplex></performnud,accept_rtadv></vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic></up,broadcast,running,simplex,multicast></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,tso4,wol_magic></broadcast,simplex,multicast></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,tso4,wol_magic></broadcast,simplex,multicast></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,tso4,wol_magic></broadcast,simplex,multicast></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,tso4,wol_magic></broadcast,simplex,multicast>
    

    arp -a

    178-26-171-103-dynip.superkabel.de (178.26.171.103) at 00:0f:c9:04:db:6f on em5 permanent [ethernet]
    ? (192.168.100.199) at 00:0f:c9:04:db:6f on em5 permanent [ethernet]
    178-26-171-254-dynip.superkabel.de (178.26.171.254) at 00:01:5c:31:0d:80 on em5 expires in 1184 seconds [ethernet]
    pfsense.hq1.local (10.19.0.10) at 00:0f:c9:04:db:6e on em4 permanent [ethernet]
    switch1.hq1.local (10.19.0.1) at 00:24:a8:d1:b1:c0 on em4 expires in 866 seconds [ethernet]
    
    

    netstat -rn

    [2.0-BETA4][admin@pfsense.hq1.local]/root(6): netstat -rn
    Routing tables
    
    Internet:
    Destination        Gateway            Flags    Refs      Use  Netif Expire
    default            178.26.171.254     UGS         0    13160    em5
    8.8.8.8            178.26.171.254     UGHS        0      140    em5
    10.0.0.0/8         10.19.0.1          UGS         0    54465    em4
    10.19.0.0/24       link#5             U           0      439    em4
    10.19.0.10         link#5             UHS         0        0    lo0
    83.169.185.33      00:0f:c9:04:db:6f  UHS         0        0    em5
    83.169.185.97      00:0f:c9:04:db:6f  UHS         0        0    em5
    127.0.0.1          link#9             UH          0      281    lo0
    172.16.0.0/12      10.19.0.1          UGS         0     1917    em4
    178.26.168.0/22    link#6             U           0      431    em5
    178.26.171.103     link#6             UHS         0        0    lo0
    192.168.0.0/16     10.19.0.1          UGS         0    12346    em4
    192.168.100.0/24   link#6             U           0       22    em5
    192.168.100.199    link#6             UHS         0        0    lo0
    
    Internet6:
    Destination                       Gateway                       Flags      Netif Expire
    ::1                               ::1                           UH          lo0
    fe80::%em4/64                     link#5                        U           em4
    fe80::20f:c9ff:fe04:db6e%em4      link#5                        UHS         lo0
    fe80::%em5/64                     link#6                        U           em5
    fe80::20f:c9ff:fe04:db6f%em5      link#6                        UHS         lo0
    fe80::%lo0/64                     link#9                        U           lo0
    fe80::1%lo0                       link#9                        UHS         lo0
    ff01:5::/32                       fe80::20f:c9ff:fe04:db6e%em4  U           em4
    ff01:6::/32                       fe80::20f:c9ff:fe04:db6f%em5  U           em5
    ff01:9::/32                       ::1                           U           lo0
    ff02::%em4/32                     fe80::20f:c9ff:fe04:db6e%em4  U           em4
    ff02::%em5/32                     fe80::20f:c9ff:fe04:db6f%em5  U           em5
    ff02::%lo0/32                     ::1                           U           lo0
    
    

    from lan:

    18:19:31.088984 00:0f:c9:04:db:6f > 00:01:5c:31:0d:80, ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 126, id 29945, offset 0, flags [DF], proto TCP (6), length 48)
        178.26.171.103.61899 > 69.64.6.6.80: Flags [s], cksum 0xf5e8 (correct), seq 465221272, win 8192, options [mss 1460,nop,nop,sackOK], length 0
    18:19:31.214411 00:01:5c:31:0d:80 > 00:0f:c9:04:db:6f, ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 44, id 36224, offset 0, flags [DF], proto TCP (6), length 48)
        69.64.6.6.80 > 178.26.171.103.61899: Flags [S.], cksum 0xe973 (correct), seq 3346687466, ack 465221273, win 65535, options [mss 1460,sackOK,eol], length 0
    18:19:31.214864 00:0f:c9:04:db:6f > 00:01:5c:31:0d:80, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 126, id 9312, offset 0, flags [DF], proto TCP (6), length 40)
        178.26.171.103.61899 > 69.64.6.6.80: Flags [.], cksum 0x1a46 (correct), seq 1, ack 1, win 64240, length 0
    18:19:34.538216 00:0f:c9:04:db:6f > 00:01:5c:31:0d:80, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 126, id 29286, offset 0, flags [DF], proto TCP (6), length 40)
        178.26.171.103.61899 > 69.64.6.6.80: Flags [F.], cksum 0x1a45 (correct), seq 1, ack 1, win 64240, length 0
    18:19:34.663185 00:01:5c:31:0d:80 > 00:0f:c9:04:db:6f, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 44, id 26650, offset 0, flags [DF], proto TCP (6), length 40)
        69.64.6.6.80 > 178.26.171.103.61899: Flags [.], cksum 0x1536 (correct), seq 1, ack 2, win 65535, length 0
    18:19:34.663281 00:01:5c:31:0d:80 > 00:0f:c9:04:db:6f, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 44, id 3364, offset 0, flags [DF], proto TCP (6), length 40)
        69.64.6.6.80 > 178.26.171.103.61899: Flags [F.], cksum 0x1535 (correct), seq 1, ack 2, win 65535, length 0
    18:19:34.663614 00:0f:c9:04:db:6f > 00:01:5c:31:0d:80, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 126, id 43592, offset 0, flags [DF], proto TCP (6), length 40)
        178.26.171.103.61899 > 69.64.6.6.80: Flags [.], cksum 0x1a44 (correct), seq 2, ack 2, win 64240, length 0
    	[/s]
    


  • This appears to be the same problem I'm seeing.  TCP / UDP traffic is blocked if it originates from the pfSense box, but traffic passes fine from all other interfaces.  Routing looks correct.  I can post details as well if that will help.

    My WAN IP is assigned via PPPoE.


  • Rebel Alliance Developer Netgate

    Under System > Advanced on the Network tab, ensure that the boxes are checked to disable hardware checksums, tso, and lro.

    If they're already disabled, try enabling them, though from the ifconfig output, Checksums and TSO appear enabled.



  • I tried on and off and rebooted.



  • System 1 [i386]:

    em0: <intel(r) 1000="" pro="" network="" connection="" 7.1.8=""> port 0x9f00-0x9f1f mem 0xfd9c0000-0xfd9dffff,0xfd9fc000-0xfd9fffff irq 16 at device 0.0 on pci1
    em0: Using MSIX interrupts with 3 vectors
    em1: <intel(r) 1000="" pro="" network="" connection="" 7.1.8=""> port 0xdf00-0xdf1f mem 0xfd5c0000-0xfd5dffff,0xfd5fc000-0xfd5fffff irq 17 at device 0.0 on pci2
    em1: Using MSIX interrupts with 3 vectors
    em2: <intel(r) 1000="" pro="" network="" connection="" 7.1.8=""> port 0xcf00-0xcf1f mem 0xfddc0000-0xfdddffff,0xfddfc000-0xfddfffff irq 18 at device 0.0 on pci3
    em2: Using MSIX interrupts with 3 vectors
    em3: <intel(r) 1000="" pro="" network="" connection="" 7.1.8=""> port 0xbf00-0xbf1f mem 0xfdbe0000-0xfdbfffff,0xfdbc0000-0xfdbdffff irq 19 at device 0.0 on pci4
    em3: Using an MSI interrupt
    em4: <intel(r) 1000="" pro="" legacy="" network="" connection="" 1.0.3=""> port 0xaf00-0xaf3f mem 0xfd8e0000-0xfd8fffff irq 19 at device 10.0 on pci5
    em4: [FILTER]
    em5: <intel(r) 1000="" pro="" legacy="" network="" connection="" 1.0.3=""> port 0xae00-0xae3f mem 0xfd8c0000-0xfd8dffff irq 18 at device 11.0 on pci5
    em5: [FILTER]</intel(r)></intel(r)></intel(r)></intel(r)></intel(r)></intel(r)>
    

    System 2: [amd64]

    rlphy0: <realtek internal="" media="" interface="">PHY 0 on miibus0
    rlphy0:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
    em0: <intel(r) 1000="" pro="" network="" connection="" 7.1.8="">port 0xc200-0xc21f mem 0xf30c0000-0xf30dffff,0xf3000000-0xf307ffff,0xf3100000-0xf3103fff irq 36 at device 5.0 on pci0
    em0: Using MSIX interrupts with 3 vectors
    em1: <intel(r) 1000="" pro="" network="" connection="" 7.1.8="">port 0xc220-0xc23f mem 0xf30e0000-0xf30fffff,0xf3104000-0xf3107fff irq 40 at device 6.0 on pci0
    em1: Using MSIX interrupts with 3 vectors</intel(r)></intel(r)></realtek> 
    


  • sysctl -a | grep tso
    The values don't change if i change it in the gui.

    
    net.inet.tcp.tso: 1
    hw.bce.tso_enable: 1
    dev.em.0.mac_stats.tso_txd: 0
    dev.em.0.mac_stats.tso_ctx_fail: 0
    dev.em.1.mac_stats.tso_txd: 0
    dev.em.1.mac_stats.tso_ctx_fail: 0
    dev.em.2.mac_stats.tso_txd: 0
    dev.em.2.mac_stats.tso_ctx_fail: 0
    dev.em.3.mac_stats.tso_txd: 0
    dev.em.3.mac_stats.tso_ctx_fail: 0
    dev.em.4.mac_stats.tso_txd: 0
    dev.em.4.mac_stats.tso_ctx_fail: 0
    dev.em.5.mac_stats.tso_txd: 0
    dev.em.5.mac_stats.tso_ctx_fail: 0
    
    

  • Rebel Alliance Developer Netgate

    I have an amd64 firmware I built without a certain patch that was added last week. It has fixed a few issues for me and I'm curious if it would fix them for you as well.

    Try to load this firmware on the amd64 system (be sure to grab a config backup just in case) and see if the behavior changes. I'm running this firmware on an amd64 VM of mine so it should be OK.

    http://pingle.org/files/pfSense-Full-Update-2.0-BETA4-20101212-2328.tgz

    Either try that with a console update by URL, or if that doesn't work, download it to a client machine and then upload it using the GUI.



  • The amd64 system is off-site.
    And i couldn't be there the next 3 days.
    You don't have the i386 version?


  • Rebel Alliance Developer Netgate

    No, I don't have an i386 builder setup on my workstation right now. I might be able to set one up but it probably wouldn't be today.


  • Rebel Alliance Developer Netgate

    OK, I got one for i386 done now.

    The URLs for both are:

    amd64 - http://pingle.org/files/pfSense-Full-Update-2.0-BETA4-20101212-2328.tgz

    i386 - http://pingle.org/files/pfSense-Full-Update-2.0-BETA4-20101214-1319.tgz

    Give it a try, see if it helps.


  • Banned

    Do these snaps come online so one can update?

    I just cant get the 2.0 running…..everything seems fine, but it aint routing....

    Dont have any logs, because I got so pissed that I deleted the VM :D


  • Rebel Alliance Developer Netgate

    @Supermule:

    Do these snaps come online so one can update?

    I just cant get the 2.0 running…..everything seems fine, but it aint routing....

    Dont have any logs, because I got so pissed that I deleted the VM :D

    The links I posted are not full installs, just firmware updates, and they were only intended to be used to assist the person who started this thread. If your problem isn't exactly the same, start a new thread.


  • Banned

    Thx buddy!

    I did…

    http://forum.pfsense.org/index.php/topic,31066.0.html

    :)

    @jimp:

    @Supermule:

    Do these snaps come online so one can update?

    I just cant get the 2.0 running…..everything seems fine, but it aint routing....

    Dont have any logs, because I got so pissed that I deleted the VM :D

    The links I posted are not full installs, just firmware updates, and they were only intended to be used to assist the person who started this thread. If your problem isn't exactly the same, start a new thread.



  • I've installed the i386 update and that has solved the problem for me.  Thanks JimP!



  • Thank you.
    It's working.
    What's the trick?


  • Rebel Alliance Developer Netgate

    There is a patch meant to fix pf's behavior with TSO and checksums, but it seems to be causing a few other problems.

    EDIT: I disabled the patch in the repo and have a new snapshot building now. The next new snapshot dated after this update should be OK.


Locked