Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    No updates or packages - DNS OK - detailed troubleshooting attached

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    13 Posts 4 Posters 7.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      nwisrlit
      last edited by

      Sorry to bring up a popular topic, but I've read all the other "can't update" / "can't get packages" posts I could find & my error wasn't described.

      SYSTEM
      "System Information" - "Version" on "Status: Dashboard" reads:
      = = = = = = = = = = = = = = = = = = = = = = = =
      2.0.1-RELEASE (i386)
      built on Mon Dec 12 17:53:52 EST 2011
      FreeBSD 8.1-RELEASE-p6

      Unable to check for updates.
      = = = = = = = = = = = = = = = = = = = = = = = =
      No NAT. WAN & LAN ports as out-of-box. Added DMZ interface as option. Running on a normal box with 3 NICs.

      PROBLEMS
      Can't get updates or packages.

      Going to "System: Package Manager" & clicking "Available Packages" tab takes a long time & errors with "Unable to communicate with www.pfsense.com. Please verify DNS and interface configuration, and that pfSense has functional Internet connectivity."

      Going to "System : Firmware" & clicking "Auto Update" takes a while & comes up with:
      = = = = = = = = = = = = = = = = = = = = = = = =
      Downloading new version information…done
      Unable to check for updates.
      Could not contact pfSense update server http://updates.pfsense.org/FreeBSD_RELENG_8_1/i386/pfSense_RELENG_2_0/.updaters/
      = = = = = = = = = = = = = = = = = = = = = = = =

      Going to "System : Firmware" & clicking "Updater Settings" takes a VERY long time. "Use a URL server for firmware upgrades other than www.pfsense.org" is NOT checked, so I'm using the default. Also, I'm not getting the drop-down box that many talk about - is that applicable to my version?

      TROUBLESHOOTING
      For now, for testing, first rule in WAN is allow all traffic to pfSense box. First rule in LAN is allow all traffic from pfSense box to WAN.  Both rules logged, but nothing's showing up in the logs (different issue?). Those rules shouldn't be necessary, though; there are no blocking rules on LAN & last LAN rule is | * | LAN net | * | * | * | * | none | | (allow anything from the LAN out and allow response traffic back in - works correctly on all LAN clients).

      Manually pointing a browser inside the LAN to the updates URL listed above shows a 404 error, so it's getting to the server, which is talking back, just not with a list of updates, but http://redmine.pfsense.org/issues/2532 says that's as it should be.

      At "Diagnostics: DNS Lookup":
      www.pfsense.com = www.pfsense.org.
      www.pfsense.org = 69.64.6.21
      updates.pfsense.org = 91.227.27.66

      "Diagnostics: Traceroute" shows hopping to my ISP, then all asterisks, in both "Use ICMP" mode and not. From a client on my network, traceroute shows the pfSense box, my ISP GW, one hop up from there, then all asterisks. tcptraceroute shows the same thing but only asterisks in lines 4-9; step 10 actually gets to 69.64.6.21.

      BETTER TROUBLESHOOTING
      Tried one more thing while composing this - ssh to box, nslookup for pfsense addresses works as expected, but "links http://www.pfsense.org" got nowhere. Tried several other websites, could not get to any of them. Like I said, for troubleshooting I already specifically opened up all traffic back & forth to pfSense box:

      WAN RULE:
      Action: Pass
      Disabled: NO
      Interface: WAN
      Protocol: any
      Source: any
      Dest: LAN address
      Log: YES

      LAN RULE:
      Action: Pass
      Disabled: NO
      Interface: LAN
      Protocol: any
      Source: LAN address
      Dest: any
      Log: YES

      Am I missing something obvious somewhere? How do I allow my box to speak to the outside world (and listen when it speaks back?)

      Thanks,
      Dan
      NoDropdown.png
      NoDropdown.png_thumb

      1 Reply Last reply Reply Quote 0
      • L
        Lee Sharp
        last edited by

        Yes, you are missing a drop down.  Try sticking this in the link window.  http://updates.pfsense.org/_updaters  That is for a 32 bit I am running.

        1 Reply Last reply Reply Quote 0
        • stephenw10S
          stephenw10 Netgate Administrator
          last edited by

          I agree with Lee's suggestion.
          The URL that your box is checking is no longer relevant. It was from an older 2.0 beta or snapshot. Have you updated from a beta version?

          Steve

          1 Reply Last reply Reply Quote 0
          • N
            nwisrlit
            last edited by

            Lee - Thanks for the updated link. Unfortunately, when I copied/pasted it in, it still doesn't see updates or packages (does that link affect packages?) FWIW, the dropdown doesn't show up in chrome, firefox, or IE.

            stephenw10 - No upgrades - this was a fresh install using pfSense-2.0.1-RELEASE-i386.iso, md5sum 62dc3ed11a5161b9e4f19dec94da589c.

            Am I wrong in thinking that I should be able to use "links" to reach the outside world? Should updates/packages work even if "links" doesn't?

            Thanks,
            Dan

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              If links doesn't work, the GUI probably won't work either.

              If that firmware drop-down it missing it also means it can't reach the pfSense servers as it's populated from a manifest file that gets pulled from us.

              It still looks/sounds like a general connectivity issue – not a problem with pfSense -- but perhaps your WAN IPs, gateway, subnet mask, or some filtering/proxy upstream.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • N
                nwisrlit
                last edited by

                jimp -

                I'm not being blocked upstream or misconfigured in basic networking because from any LAN client I can navigate to http://updates.pfsense.org/_updaters/ and get the 404, or get the manifest from http://updates.pfsense.org/manifest.

                I'm not saying it's a bug/problem with pfSense - I'm assuming I made a misconfig somewhere & I'd like some help tracking it down.

                More troubleshooting:
                Used "links" to connect to webservers on my LAN & DMZ = works

                Created alias "TESTpfSenseALL" containing WAN, LAN, & DMZ addresses of the pfSense box.

                Changed first rule in LAN to | * | TESTpfSenseALL | * | * | * | * | none |  |
                Changed first rule in WAN to | * | * | * | TESTpfSenseALL | * | * | none |  |

                Still cannot update, see packages, or get to ANY outside websites via "links".

                1 Reply Last reply Reply Quote 0
                • jimpJ
                  jimp Rebel Alliance Developer Netgate
                  last edited by

                  Check "netstat -rn"

                  Especially the default gateway. The default gateway should be your WAN gateway.

                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  • N
                    nwisrlit
                    last edited by

                    Default gateway shows the number given to me by the provider as the next hop "up".

                    Traceroute from pfSense to any given outside address shows an immediate hop to the GW, but then all asterisks.

                    Traceroute from any client on the LAN to any outside address shows a hit to pfSense, then a hit to the GW, then one hop beyond that, then asterisks (usually). Client comms all work, so that gateway is valid.

                    I did "pfctl -d" as root, and links & updates (didn't check packages) didn't work, so I think my rules are OK.

                    Wireshark on a hub between defaultGW and pfSense showed no activity whatsoever for pfSense box's LAN address or WAN address while I tried to use "links http://<anything>.com", updates, and packages.

                    This install is about 6 months old, with 70 machines behind it, including websites accessible from the outside world. Everything works great except upgrades/packages & network ops from the command line to the outside world. Every endpoint BUT the pfSense box itself routes fine.

                    Thanks,
                    Dan</anything>

                    1 Reply Last reply Reply Quote 0
                    • jimpJ
                      jimp Rebel Alliance Developer Netgate
                      last edited by

                      Do your internal users get NAT applied outbound to a different IP than your WAN IP?

                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      1 Reply Last reply Reply Quote 0
                      • N
                        nwisrlit
                        last edited by

                        No NAT.

                        More troubleshooting:
                        Another tenant in our bldg lets us "borrow" some of their bandwidth for testing etc. - the box has one of our LAN addresses & NATs out to one of theirs (so multiple users in our net have access via them).

                        In "System: Gateways" I created a new GW pointing to our side of the "go-between" box. In "System: Static Routes", I set both 69.64.6.21/32 (www.pfsense.org) & 91.227.27.66/32 (updates.pfsense.org) to point to the new GW. Both updates & packages worked.

                        Just for kicks, I manually set those two IPs to route through WANGW. No go, of course.

                        Leaving the GW pointed to the co-tennant, a traceroute shows that my LAN clients also route through their internet connection.

                        So AFAICT, something makes my pfSense box different from all my other boxes. I don't know where that something is, but it's not in the firewall rules, since "pfctl -d" didn't help.

                        Thanks,
                        Dan

                        1 Reply Last reply Reply Quote 0
                        • jimpJ
                          jimp Rebel Alliance Developer Netgate
                          last edited by

                          Actually you just managed to prove it was, in fact, your ISP on WAN (or your WAN settings).

                          (Unless you have some really broken outbound NAT rules…)

                          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                          Need help fast? Netgate Global Support!

                          Do not Chat/PM for help!

                          1 Reply Last reply Reply Quote 0
                          • N
                            nwisrlit
                            last edited by

                            ROOT PROBLEM FOUND

                            Duh.

                            Uplink is point-to-point with a pair of RFC1918 (private) addresses; wireshark confirms that attempts to reach the outside world source from there. Sorry to have wasted your time.

                            I don't suppose there's a reasonable way on a non-NAT box to force the traffic headed to the wider world to go "thru" the firewall & end up with a routeable outside IP, is there?

                            Thanks,
                            Dan

                            1 Reply Last reply Reply Quote 0
                            • N
                              nwisrlit
                              last edited by

                              FAIL on my part:

                              I had done a wireshark, checking for LAN & WAN addresses (see post #8). I used a capture filter and TYPO'd the IP for the WAN (got the LAN right, but that didn't matter). It was only by one digit…  :(

                              Would have been good to know 2 days ago.

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.