Solved: Is a direct (unproxied) Internet Connection needed to upgrade to 2.3 ??



  • We use multiple virtual pfSense firewalls for internal test segmentation, they do not have direct access to the internet they only have access via a proxy.

    I have recently tried to upgrade two instances one running 2.2 and one running 2.2.6 to 2.3 and both have failed in the same manner.

    Using the Auto-Upgrade mechanism, via the web console, the update is successfully downloaded and installs fine, following the initial reboot both displayed the following error in a continuous loop:

    "ERROR!!! An error occurred on pkg execution (rc = 70) with parameters 'update-f':
    pkg : http://pkg.pfsense.org/pfsense_v2_3_0_i386-core/meta.txz : no route to host"
    pkg : http://pkg.pfsense.org/pfsense_v2_3_0_i386-core/packagesite.txz : no route to host"
    pkg : http://pkg.pfsense.org/pfsense_v2_3_0_i386-pfSense_v2_3_0/meta.txz : no route to host"
    pkg : http://pkg.pfsense.org/pfsense_v2_3_0_i386-pfSense_v2_3_0/packagesite.txz : no route to host"

    To me this suggests that a direct internet connection is required to retrieve some data, which is no longer in the update, is there any way around this ?

    Thanks



  • Hey,
    That errors look like exactly what i faced yesterday when upgrading it. so far from what i understand after digging and experiencing so far

    1. You might need to reconfigure /etc/resolve.conf . this file contain records of name server, so you will need to update them to google DNS. That might fix it
    2. The connection need to specify gateway in order to download the file.
    3. Using proxy to support HTTP internal system under System -> Advance -> Misc will cause a result. Even if you install 2.3 from scratch, it will still suffer from finding Available Package under System -> Packages.
    4. If your connection to Internet is stand behind another proxy it will likely causing problem (ex: you use Pfsense as a Proxy connect to another upstream proxy)

    Other option is hold that update until a patch is release and come back to use 2.2.6 if you have a Snapshot of your proxy before upgrade



  • Name resolution of pkg.pfsense.org is fine, my existing DNS Servers resolve that ok. I already have a proxy set in System -> Advance -> Misc as this is used by the Auto Update mechanism, which downloads the 2.3 upgrade file fine.

    The issue is on that first reboot, it would seem that it attempts a direct connection at that point which causes issues in a proxied environment.

    As soon as I had made note of the issue, I reverted both instances back to the Snapshot I took before starting the upgrade process. So there was minimal impact.

    I am hoping there is a work around/fix otherwise I will not be able to go to 2.3 for these instances.



  • Hey so i figured i would jump on this post too as it is the same problem that i am having.

    My pfsense box cant access the internet unless it is using a proxy (the proxy is separate to this instance of pfsense). It managed to update to 2.3 and is currently forwarding traffic like expected but now it is stuck attempting to download package metadata :(

    I have attempted to add a proxy to the pkg configuration but that has not helped it does not even attempt to contact the proxy.

    pkg_env: {
      http_proxy: "http://10.xxx.xxx.xxx:8080"
    }

    I am not sure if this is a pfsense problem or a bug with pkg itself not liking proxies.

    Thanks for a great product, Yon




  • I believe that the bug on pfsense itself.

    I have tested a fresh installation of 2.3 on my Citrix environment. As long as i config the proxy under System - Advance - Misc. The webConfigurator will hang and display a 504 error (Gateway fail). if you try to check a available packages it will crash and force to reboot.

    I hope this issue will be rectify on next patch



  • +1 for a way to update systems offline!

    Scenarios when this is required:

    • when internal pfSense systems can't see the internet, only through proxy (like above)
    • when upgrading spare (second) hardware offline first, and replacing in production environment just by plugging the cables between the old and the new, to ensure minimal downtime and 100% working previous state

    I would imagine something like a utility to analyze the configuration first, and evaluate if it's possible or not to do the update offline (meaning: no direct internet connection available at the moment when the system boots up first time after the upgrade).
    For offline update, offer the possibility to download the package files somehow manually, and be able to give them to the firewall during the first boot after the update, to be able to finish it properly.
    Like a gzipped file containing all that's needed for package reinstallation, pretty much like Dropbox does.



  • @YonNomNom:

    I have attempted to add a proxy to the pkg configuration but that has not helped it does not even attempt to contact the proxy.

    pkg_env: {
      http_proxy: "http://10.xxx.xxx.xxx:8080"
    }

    As I was watching the console, I hadnt realised the upgrade had actually worked and the GUI was accessible.

    So , taking your lead I CTRL+C to break in to the console, copied pkg.conf.sample to pkg.conf and modified the pkg_env sections as follows:

    pkg_env: {
    http_proxy=http://proxy:port
    https_proxy=http://proxy:port
    HTTP_PROXY=http://proxy:port
    HTTPS_PROXY=http://proxy:port
    }

    Obviously replacing the proxy and port with my details.

    Rebooted and all is good it pulled down the packages. Not sure if it is the upper case or the https entries that helped, but it is working and it wont hurt to keep both in the file.



  • @GuruNot:

    So , taking your lead I CTRL+C to break in to the console, copied pkg.conf.sample to pkg.conf and modified the pkg_env sections as follows:

    So how do we get this fixed for the next release?


  • Rebel Alliance Developer Netgate

    It was working at one point earlier in 2.3, but may have regressed. We're looking into it again. https://redmine.pfsense.org/issues/6149



  • Just created a new ticket: https://redmine.pfsense.org/issues/6151
    Edit: we were working both in the same time  ???


  • Rebel Alliance Developer Netgate

    @robi:

    Just created a new ticket: https://redmine.pfsense.org/issues/6151

    See my message just above yours. I'd already created a ticket for it. :-)



  • Lots of tickets these days, isn't it  :-\



  • @GuruNot:

    So , taking your lead I CTRL+C to break in to the console, copied pkg.conf.sample to pkg.conf and modified the pkg_env sections

    For people who read this, path is /usr/local/etc/pkg.conf :)

    No need to copy pkg.conf.sample, juste create pkg.conf and add

    @GuruNot:

    pkg_env: {
    http_proxy=http://proxy:port
    https_proxy=http://proxy:port
    HTTP_PROXY=http://proxy:port
    HTTPS_PROXY=http://proxy:port
    }

    Rebooted and all is good it pulled down the packages.


  • Rebel Alliance Developer Netgate

    Editing that file is kind of ugly.

    Try the patch I just added to https://redmine.pfsense.org/issues/6149



  • What would be the right time to apply this patch without having trouble in the update process from the previous version?

    regards



  • the patch from https://redmine.pfsense.org/issues/6149 worked for me, but only after changing the uppercase HTTP_PROXY to lowercase http_proxy


Log in to reply