Disabling IPv6 and update packages/firmware bug
-
Have noticed for a few builds now, that when IPv6 is set to DHCP6 on the WAN interface, I can download and check packages just fine, and the WebGUI shows whether I am on the latest version or not. But, if I set the WAN IPv6 to None anything that checks for package or firmware updates fails with a timeout. Below is what is seen in the system log when viewing the dashboard, as well as after trying to navigate to the packages.
nginx: 2016/01/19 06:44:42 [error] 19548#0: *12 upstream timed out (60: Operation timed out) while reading response header from upstream, client: 192.168.1.21, server: , request: "GET /widgets/widgets/system_information.widget.php?getupdatestatus=1 HTTP/1.1", upstream: "fastcgi://unix:/var/run/php-fpm.socket", host: "192.168.1.2", referrer: "http://192.168.1.2/index.php"nginx: 2016/01/19 06:47:47 [error] 19548#0: *18 upstream timed out (60: Operation timed out) while reading response header from upstream, client: 192.168.1.21, server: , request: "GET /pkg_mgr_installed.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php-fpm.socket", host: "192.168.1.2", referrer: "http://192.168.1.2/status_logs.php"When attempting to visit packages, I also get a "Gateway Timeout" error that shouldn't occur either.
Using a satellite ISP that employs a dual stack modem, this issue does not occur on 2.1.5 or any of the 2.2.x builds for me.
This issue also does not affect normal browsing, just seems what ever is checking for the package information, and firmware information from PFSense is failing after it has had an IPv6 address to use in the past, but no longer does.
This also creates a real-world problem for me, as my ISP is known to have issues with IPv6 stability, sometimes they can give an address, other times, they do not.
-
In that case you should set the system to prefer IPv4. What's happening there it sounds like is IPv6 is cached as preferred, then you take it away but that process doesn't clear out everything that might possibly cache things. The same is true in every version ever in some places and ways, though given underlying differences between, that might happen in different ways in 2.3 vs. prior versions.
-
Just saying, regardless of that setting, 2.3 should not "prefer" ipv6 over ipv4 just because it had an ipv6 address for a little bit. If it looses that IPv6 address, it should know on it's own that it won't be able to communicate via IPv6 and go straight to IPv4 to check for things, or at a minimum, use IPv4 as a fallback for anything that it can should ipv6 fail.
EDIT:
Checked the "Prefer IPv4 over IPv6" option in advanced, and no dice, same error. So yup, bug.
-
This also creates a real-world problem for me, as my ISP is known to have issues with IPv6 stability, sometimes they can give an address, other times, they do not.
I can't ever check for updates with IPv6 turned on in 2.2 or 2.3, even though other IPv6 traffic works fine (youtube, etc). Because of this behavior in 2.2 I've given up and just disabled IPv6 altogether in pfSense. Which is a shame - I think the system should handle this more gracefully.
-
The general lack of fallback has a bug ticket open.
https://redmine.pfsense.org/issues/3152Checked the "Prefer IPv4 over IPv6" option in advanced, and no dice, same error.
You have to flush whatever has a cache after doing so. Reboot with it set to prefer IPv4 and you won't hit that.
I can't ever check for updates with IPv6 turned on in 2.2 or 2.3, even though other IPv6 traffic works fine (youtube, etc).
Sounds like you aren't getting a functional IPv6 IP assigned WAN-side. Your LAN hosts will go out via your routed/PD'ed internal subnet, the firewall itself will go out via whatever's assigned to its WAN.