PfSense unable to resolve *.pfsense.org



  • OK I did a fresh install of 2.2.1-RELEASE on a VM in vSphere.  I connected it to a MetroEthernet line, the other end of the MetroEthernet link is connected to a co-location WAN.  I set the firewall with the correct network info for the co-location.
    I can ping goolge.com, and 8.8.8.8 from it, but the firewall can't check for updates from updates.pfsense.org.  I found the ip address for 208.123.73.82, and the firewall can ping it just fine.  So I think it's some type of DNS problem.

    I installed a 2nd fresh install of 2.2.1-RELEASE at the co-location on the other side of the MetroEthernet link, and it works fine.  So any suggestion on how to work around this problem?

    I have tried adding a static route for updates.pfsense.org -> 208.123.73.82 didn't work.  I also played with the setting in "System > General Setup", "Services > DNS forwarder", "Services > DNS Resolver", not an expert as DNS so some of it was guess work.  When I do "Diagnostices > DNS Lookup" for updates.pfsense.org I get…

    208.123.73.82
    162.208.119.39

    127.0.0.1 No response
    8.8.8.8 33 msec
    8.8.4.4 31 msec

    When I do a "Diagnostices > Ping" of updates.pfsense.org, it works on WAN, LAN, localhost, and default.

    When I do a "System > Packages" I get an error message about SSL certificate could not be verified.



  • This
    @ssanders76:

    127.0.0.1 No response

    is strange. It means the local DNS (DNS Resolver) isn't running.

    Service => DNS Resolver : active it and leave Listen port empty && Outgoing Network Interfaces =  All && Network Interfaces = All (check DHCP Registration && Static DHCP).

    Check Status => Services : is it running :




  • @Gertjan:

    This
    @ssanders76:

    127.0.0.1 No response

    is strange. It means the local DNS (DNS Resolver) isn't running.

    Service => DNS Resolver : active it and leave Listen port empty && Outgoing Network Interfaces =  All && Network Interfaces = All (check DHCP Registration && Static DHCP).

    Check Status => Services : is it running :

    I tired that setup no change, the Service is running, I tried restarting it didn't help.

    I tired setting the "System > Firmware > Updater Settings"  to be just IP address, the interface ran very slow, and it didn't fix the problem, just said custom URL could not be found.

    I made 2 png of the error messages I'm getting.






  • I'm wondering if your SSL session is being intercepted, and that's what is making the update check fail.



  • @ssanders76:

    I tired that setup no change, the Service is running, I tried restarting it didn't help.

    Sorry, but this is a solid proof:

    127.0.0.1 No response
    

    THis says: their is no DNS server running (better said: accessible, reachable) at 'localhost' == the pfSEnse box itself.
    Of course, weird network setup like IP WAN = IP LAN, complete firewall-rule-madness or strange NAT rules could also explain that pfSense (== 127.0.0.1) can't connect to pfSense (==127.0.0.1).
    But: out of the box, clean install, nearly no setup except "connect WAN" => it works.



  • @Gertjan:

    @ssanders76:

    I tired that setup no change, the Service is running, I tried restarting it didn't help.

    Sorry, but this is a solid proof:

    127.0.0.1 No response
    

    THis says: their is no DNS server running (better said: accessible, reachable) at 'localhost' == the pfSEnse box itself.
    Of course, weird network setup like IP WAN = IP LAN, complete firewall-rule-madness or strange NAT rules could also explain that pfSense (== 127.0.0.1) can't connect to pfSense (==127.0.0.1).
    But: out of the box, clean install, nearly no setup except "connect WAN" => it works.

    I didn't do any fancy setup, just did the setup wizard, and turn off IPv6, it not supported by the IPS.

    But I think KOM might be right the SSL being intercepted.  I didn't notice at first, but I can't get to a lot of web sites that use SSL;  pfsense.org being one of them.  I send an e-mail off to my ISP asking about it.



  • Keep this in mind: if DNS isn't working, certificates can't be checked against their "authority", so you will have troubles looking at SSL (https) sites.
    Again: the problem is IN your box. Not your IPS.
    Remember: without your pfSense box, "Internet" was doing well - and I bet you could visit https://updates.pfsense.org/ just fine.



  • I didn't notice at first, but I can't get to a lot of web sites that use SSL;

    This implies that he can get to other non-HTTPS sites.  If his problem was DNS, he would not be able to go anywhere at all.

    Edit: not



  • @Gertjan:

    Keep this in mind: if DNS isn't working, certificates can't be checked against their "authority", so you will have troubles looking at SSL (https) sites.
    Again: the problem is IN your box. Not your IPS.
    Remember: without your pfSense box, "Internet" was doing well - and I bet you could visit https://updates.pfsense.org/ just fine.

    Well at first I thought I could go to other web sites I could get to https://google.com, but then I started try others and they didn't work.

    I can also plug the VM box into the WAN for our local internet and it works OK.

    I'm still waiting on a reply from the ISP.



  • Can you go to any HTTP sites at all?



  • @KOM:

    Can you go to any HTTP sites at all?

    Yes; no problems getting to http port 80.



  • OK, that rules out DNS definitively.  I'd start by looking at the certificate error you're getting with HTTPS sites and see if the cert matches the site.  Your datacentre may be transparently proxying your SSL traffic.



  • @KOM:

    OK, that rules out DNS definitively.  I'd start by looking at the certificate error you're getting with HTTPS sites and see if the cert matches the site.  Your datacentre may be transparently proxying your SSL traffic.

    In firefox it give me the message
    "Secure Connection Failed"
    An error occurred during a connection to www.pfsense.org.  The server rejected the handshake because the client downgraded to a lower TLS version then the server supports. (Error code: ssl_error_inappropiate_fallback_alert)
    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the website owners to inform them of this problem.

    Chrome just give an error about took too long to respond.


  • Banned

    You'd better have a long angry talk to your ISP.



  • A quick Google shows that lots of people are having this same type of problem specifically with Firefox, but you mentioned Chrome times out.  It shouldn't time out.  What happens if you use IE <shiver>?  Are you running any local antivirus solution that has URL-scanning or SSL-filtering options?</shiver>



  • @KOM:

    A quick Google shows that lots of people are having this same type of problem specifically with Firefox, but you mentioned Chrome times out.  It shouldn't time out.  What happens if you use IE <shiver>?  Are you running any local antivirus solution that has URL-scanning or SSL-filtering options?</shiver>

    IE took a very long time to give a time out error.  No antiviruses, just another VM running windows 7 plugged into the same vlan as the pfsense box LAN.



  • Hmm, I don't know what else to check.  Perhaps ask your colo support about the symptoms and see if they are doing anything.



  • OK, the ISP say they are don't do any type of filtering, and they don't know why I would be having this problem.

    The guys at the co-location are saying they don't support having a firewall on my side of the metro E link.  They want me to setup a a firewall at the co-location and then connect my management network over the metro E link.  That seems link a security risk to me, but they assure me all there other clients do it, and it perfectly safe.  I have never used a metro E link before, so should I be worried?

    I going to setup a test and see if it will even work they are suggestion either today or tomorrow.

    [edit]
    OK I did the test of putting the firewall on the other side of the metro E link.  And connecting the windows 7 test machine on the other side of the metro E link.  Same problem, no change other then I can now get up dates from pfsense.org, for the firewall.

    [edit]
    OK the guy at the co-location put a sonic wall inplace of the pfsense, same problem.



  • I didn't think it was a pfSense problem.  Now yo know for sure.



  • @KOM:

    I didn't think it was a pfSense problem.  Now yo know for sure.

    It was a issues with the switch at the co-location.  My tests now show it working so going to go live with the changes this weekend.  Thanks to everyone. :)


Log in to reply