Messages

1) try your tunable BUT

net.inet.rss.enabled = 0


- i had problems with that for updates under proxmox, maybe it is affecting throughput as well.


2) otherwise remove all tunables and go one by one (again)

3) AND I see you have 4 SOCKETS 1 CORE
AND I THINK maybe you meant 1 SOCKET 4 CORES with your E3-1275V5

SOCKET = CPU SOCKET - you have 1 E3-1275V5? Right
CORE= Number of cores available for the VM including your VirtIO Hardware. Maybe you are CPU throtelling ?

Even if you had 4 sockets, it would not be a good thing to multihread with different CPUs, maybe the is a use case i don't know out there :)


Client Settings for Proxmox

agent: 1
balloon: 0
boot: order=scsi0;ide2;net0
cores: 2
cpu: host,flags=+aes
efidisk0: local-lvm:vm-110-disk-0,efitype=4m,pre-enrolled-keys=1,size=16G
hostpci1: 0000:05:00,pcie=1,rombar=0   ##>> PCI pass through for WAN Interface
ide2: none,media=cdrom
machine: q35
memory: 3072
name: opnsnse
net0: virtio=99:99:YY:XX:XX:XX,bridge=vmbr0,queues=4   ##Standard queue is 1 parallel stream
net2: virtio=99:99:YY:XX:XX:XX,bridge=vmbr10,queues=4  ##Standard queue is 1 parallel stream
numa: 0
onboot: 1
ostype: l26
scsi0: local-lvm:vm-123-disk-0,size=16G
scsihw: virtio-scsi-pci
smbios1: uuid=xxyyzz #your personal (SeaBIOS)
sockets: 1
startup: order=1,up=1
vmgenid: xxyyzz #your personal


4) Try deactivating IPS / IDS for testing
Service -> Intrusion Detection _-> Settings
[ ] Enabled  #unchecked
[ ] IPS mode #unchecked

[pkg-static (fetch) : Systems -> Settings -> Tunables -> net.inet.rss.enabled=0 (Fetching via IPv4 works again via WAN1pkg update : Systems -> Settings -> General -> [ ] Prefer to use IPv4 even if IPv6 is available (NOT CHECKED)]

net.inet.rss.enabled=0  (Fetching via IPv4 works again via WAN1)
8) THANK YOU -Progress - added that rss value to tunables when going to multicore CPU - setting it to 0 solved fetching problem. - But it still does not update correctly. but with the knowledege i have i post a working setting for MultiWAN in the evening.


pkg-static  (fetch)  :   Systems -> Settings -> Tunables -> net.inet.rss.enabled=0  (Fetching via IPv4 works again via WAN1

pkg update            :    Systems -> Settings -> General ->  [ ] Prefer to use IPv4 even if IPv6 is available (NOT CHECKED)

for me the Problem is solved

PS: added "net.inet.rss.enabled=1" in 2022 and it was running until "now" without problems.

[pkg-static: http://mirror.fra10.de.leaseweb.net/opnsense/FreeBSD:13:amd64/23.7/latest/packagesite.pkg]

haha news - i downloaded one package :D ...wtf :D

Code Select Expand


  0) Logout                              7) Ping host
  1) Assign interfaces                   8) Shell
  2) Set interface IP address            9) pfTop
  3) Reset the root password            10) Firewall log
  4) Reset to factory defaults          11) Reload all services
  5) Power off system                   12) Update from console
  6) Reboot system                      13) Restore a backup

Enter an option: 12

Fetching change log information, please wait... fetch: transfer timed out

This will automatically fetch all available updates and apply them.

Proceed with this action? [y/N]: y

Updating OPNsense repository catalogue...
Fetching meta.conf: . done
pkg-static: http://mirror.fra10.de.leaseweb.net/opnsense/FreeBSD:13:amd64/23.7/latest/packagesite.pkg: Operation timed out
Fetching packagesite.txz: .......... done
Processing entries: .......... done
OPNsense repository update completed. 852 packages processed.
All repositories are up to date.
Updating OPNsense repository catalogue...
pkg-static: http://mirror.fra10.de.leaseweb.net/opnsense/FreeBSD:13:amd64/23.7/latest/meta.txz: Operation timed out
repository OPNsense has no meta file, using default settings
OPNsense repository is up to date.
All repositories are up to date.
Checking for upgrades (28 candidates): .......... done
Processing candidates (28 candidates): .......... done
The following 28 package(s) will be affected (of 0 checked):

Installed packages to be UPGRADED:
        libedit: 3.1.20221030,1 -> 3.1.20230828,1
        opnsense: 23.7.5 -> 23.7.6
        php82: 8.2.10 -> 8.2.11
        php82-ctype: 8.2.10 -> 8.2.11
        php82-curl: 8.2.10 -> 8.2.11
        php82-dom: 8.2.10 -> 8.2.11
        php82-filter: 8.2.10 -> 8.2.11
        php82-gettext: 8.2.10 -> 8.2.11
        php82-ldap: 8.2.10 -> 8.2.11
        php82-mbstring: 8.2.10 -> 8.2.11
        php82-pcntl: 8.2.10 -> 8.2.11
        php82-pdo: 8.2.10 -> 8.2.11
        php82-session: 8.2.10 -> 8.2.11
        php82-simplexml: 8.2.10 -> 8.2.11
        php82-sockets: 8.2.10 -> 8.2.11
        php82-sqlite3: 8.2.10 -> 8.2.11
        php82-xml: 8.2.10 -> 8.2.11
        php82-zlib: 8.2.10 -> 8.2.11
        py39-Babel: 2.12.1 -> 2.13.0
        py39-boto3: 1.28.52 -> 1.28.62
        py39-botocore: 1.31.52 -> 1.31.62
        py39-cffi: 1.15.1 -> 1.16.0
        py39-charset-normalizer: 3.2.0 -> 3.3.0
        py39-numexpr: 2.8.6 -> 2.8.7
        py39-s3transfer: 0.6.2 -> 0.7.0
        py39-urllib3: 1.26.16,1 -> 1.26.17,1
        ruby31-gems: 3.4.19 -> 3.4.20
        syslog-ng: 4.3.1_1 -> 4.4.0

Number of packages to be upgraded: 28

24 MiB to be downloaded.
[1/28] Fetching php82-session-8.2.11.pkg: ..... done
pkg-static: http://mirror.fra10.de.leaseweb.net/opnsense/FreeBSD:13:amd64/23.7/latest/All/php82-zlib-8.2.11.pkg: Operation timed out
Starting web GUI...done.
Generating RRD graphs...done.



i guess
pkg-static: http://mirror.fra10.de.leaseweb.net/opnsense/FreeBSD:13:amd64/23.7/latest/packagesite.pkg
is the part which makes the update fail


later three fetches then - TImeout - any way to set the TImeout ?

Code Select Expand


***GOT REQUEST TO UPDATE***
Currently running OPNsense 23.7.5 at Tue Oct 17 22:01:45 CEST 2023
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 852 packages processed.
All repositories are up to date.
Checking for upgrades (28 candidates): .......... done
Processing candidates (28 candidates): .......... done
The following 28 package(s) will be affected (of 0 checked):

Installed packages to be UPGRADED:
libedit: 3.1.20221030,1 -> 3.1.20230828,1
opnsense: 23.7.5 -> 23.7.6
php82: 8.2.10 -> 8.2.11
php82-ctype: 8.2.10 -> 8.2.11
php82-curl: 8.2.10 -> 8.2.11
php82-dom: 8.2.10 -> 8.2.11
php82-filter: 8.2.10 -> 8.2.11
php82-gettext: 8.2.10 -> 8.2.11
php82-ldap: 8.2.10 -> 8.2.11
php82-mbstring: 8.2.10 -> 8.2.11
php82-pcntl: 8.2.10 -> 8.2.11
php82-pdo: 8.2.10 -> 8.2.11
php82-session: 8.2.10 -> 8.2.11
php82-simplexml: 8.2.10 -> 8.2.11
php82-sockets: 8.2.10 -> 8.2.11
php82-sqlite3: 8.2.10 -> 8.2.11
php82-xml: 8.2.10 -> 8.2.11
php82-zlib: 8.2.10 -> 8.2.11
py39-Babel: 2.12.1 -> 2.13.0
py39-boto3: 1.28.52 -> 1.28.62
py39-botocore: 1.31.52 -> 1.31.62
py39-cffi: 1.15.1 -> 1.16.0
py39-charset-normalizer: 3.2.0 -> 3.3.0
py39-numexpr: 2.8.6 -> 2.8.7
py39-s3transfer: 0.6.2 -> 0.7.0
py39-urllib3: 1.26.16,1 -> 1.26.17,1
ruby31-gems: 3.4.19 -> 3.4.20
syslog-ng: 4.3.1_1 -> 4.4.0

Number of packages to be upgraded: 28

24 MiB to be downloaded.
[1/27] Fetching php82-zlib-8.2.11.pkg: ... done
[2/27] Fetching php82-dom-8.2.11.pkg: ......... done
[3/27] Fetching php82-simplexml-8.2.11.pkg: ... done
pkg-static: http://mirror.fra10.de.leaseweb.net/opnsense/FreeBSD:13:amd64/23.7/latest/All/php82-pdo-8.2.11.pkg: Operation timed out
Starting web GUI...done.
Generating RRD graphs...done.
***DONE***



Well that's the outpuz but

pkg: http://mirror.fra10.de.leaseweb.net/opnsense/FreeBSD:13:amd64/23.7/latest/packagesite.pkg: Operation timed out <- is this right?

and then 28MB are not fetched ... or in other words

fetch -s is running on timeout (in the script, i don't know where it is - yet)
In other wors: The GUI does not pop ups the message and the button to upgrade. :/

Update is also from 5. October in the "Status" - not from today - 5 October was the last time WAN2 had a valid internet connection

Code Select Expand


Updated on Thu Oct 5 07:19:08 CEST 2023
Checked on N/A



[/code]
***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 23.7.5 at Mon Oct 16 20:17:59 CEST 2023
Fetching changelog information, please wait... fetch: transfer timed out
Updating OPNsense repository catalogue...
Fetching meta.txz: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 852 packages processed.
All repositories are up to date.
Checking integrity... done (0 conflicting)
Your packages are up to date.
Checking for upgrades (28 candidates): .......... done
Processing candidates (28 candidates): .......... done
The following 28 package(s) will be affected (of 0 checked):

Installed packages to be UPGRADED:
   libedit: 3.1.20221030,1 -> 3.1.20230828,1
   opnsense: 23.7.5 -> 23.7.6
   php82: 8.2.10 -> 8.2.11
   php82-ctype: 8.2.10 -> 8.2.11
   php82-curl: 8.2.10 -> 8.2.11
   php82-dom: 8.2.10 -> 8.2.11
   php82-filter: 8.2.10 -> 8.2.11
   php82-gettext: 8.2.10 -> 8.2.11
   php82-ldap: 8.2.10 -> 8.2.11
   php82-mbstring: 8.2.10 -> 8.2.11
   php82-pcntl: 8.2.10 -> 8.2.11
   php82-pdo: 8.2.10 -> 8.2.11
   php82-session: 8.2.10 -> 8.2.11
   php82-simplexml: 8.2.10 -> 8.2.11
   php82-sockets: 8.2.10 -> 8.2.11
   php82-sqlite3: 8.2.10 -> 8.2.11
   php82-xml: 8.2.10 -> 8.2.11
   php82-zlib: 8.2.10 -> 8.2.11
   py39-Babel: 2.12.1 -> 2.13.0
   py39-boto3: 1.28.52 -> 1.28.62
   py39-botocore: 1.31.52 -> 1.31.62
   py39-cffi: 1.15.1 -> 1.16.0
   py39-charset-normalizer: 3.2.0 -> 3.3.0
   py39-numexpr: 2.8.6 -> 2.8.7
   py39-s3transfer: 0.6.2 -> 0.7.0
   py39-urllib3: 1.26.16,1 -> 1.26.17,1
   ruby31-gems: 3.4.19 -> 3.4.20
   syslog-ng: 4.3.1_1 -> 4.4.0

Number of packages to be upgraded: 28

24 MiB to be downloaded.
self: No packages available to install matching 'opnsense'
***DONE***
[/code]

AND I did not interrupt it.

Scripts are here: /usr/local/opnsense/scripts/firmware

Ay ay --

two DNS for two Gateways - I marked gateway as down, disbaled the gateway removed 2nd DNS  and now I disabled the whole interface.

it's a really unicorn mistake

i love opjnsense too much, - so i will update via WAN2 for updates - I even swtiched the WANs WAN 1 x WAN 2 - I switched DNS .. nothing works :)

so I am happy for any help. Maybe I just want to know why this is hapening. - But WAN 2 is only temporaly activated.

WAN1 is going to a cable bridge
WAN2 is going to a LTE router bridge

ps: did no work

Code Select Expand


***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 23.7.5 at Mon Oct 16 16:40:38 CEST 2023
Fetching changelog information, please wait... fetch: transfer timed out
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
pkg: http://mirror.fra10.de.leaseweb.net/opnsense/FreeBSD:13:amd64/23.7/latest/packagesite.pkg: Operation timed out
Fetching packagesite.txz: .......... done
Processing entries: .......... done
OPNsense repository update completed. 852 packages processed.
All repositories are up to date.
Checking integrity... done (0 conflicting)
Your packages are up to date.
Checking for upgrades (28 candidates): .......... done
Processing candidates (28 candidates): .......... done
The following 28 package(s) will be affected (of 0 checked):

Installed packages to be UPGRADED:
libedit: 3.1.20221030,1 -> 3.1.20230828,1
opnsense: 23.7.5 -> 23.7.6
php82: 8.2.10 -> 8.2.11
php82-ctype: 8.2.10 -> 8.2.11
php82-curl: 8.2.10 -> 8.2.11
php82-dom: 8.2.10 -> 8.2.11
php82-filter: 8.2.10 -> 8.2.11
php82-gettext: 8.2.10 -> 8.2.11
php82-ldap: 8.2.10 -> 8.2.11
php82-mbstring: 8.2.10 -> 8.2.11
php82-pcntl: 8.2.10 -> 8.2.11
php82-pdo: 8.2.10 -> 8.2.11
php82-session: 8.2.10 -> 8.2.11
php82-simplexml: 8.2.10 -> 8.2.11
php82-sockets: 8.2.10 -> 8.2.11
php82-sqlite3: 8.2.10 -> 8.2.11
php82-xml: 8.2.10 -> 8.2.11
php82-zlib: 8.2.10 -> 8.2.11
py39-Babel: 2.12.1 -> 2.13.0
py39-boto3: 1.28.52 -> 1.28.62
py39-botocore: 1.31.52 -> 1.31.62
py39-cffi: 1.15.1 -> 1.16.0
py39-charset-normalizer: 3.2.0 -> 3.3.0
py39-numexpr: 2.8.6 -> 2.8.7
py39-s3transfer: 0.6.2 -> 0.7.0
py39-urllib3: 1.26.16,1 -> 1.26.17,1
ruby31-gems: 3.4.19 -> 3.4.20
syslog-ng: 4.3.1_1 -> 4.4.0

Number of packages to be upgraded: 28

24 MiB to be downloaded.


cheers Bruce

after another day and night session with my beloved firewall .

I am nearly going to be crazy -
[ x ] Prefer to use IPv4 even if IPv6 is available
[ x ] IPv6 disabled system wide  (https://www.thomas-krenn.com/en/wiki/OPNsense_disable_IPv6)
[ x ] setting mirror to http instead of https to rule out certification problems
[ x ] Setting the DNS manually (temporary) in /etc/hosts
[ x ] going crazy about name resolution and ipv6 and pkg

Code Select Expand



***GOT REQUEST TO AUDIT CONNECTIVITY***
Currently running OPNsense 23.7.5 at Mon Oct 16 06:54:41 CEST 2023
Checking connectivity for host: mirror.fra10.de.leaseweb.net -> 37.58.58.140
PING 37.58.58.140 (37.58.58.140): 1500 data bytes
1508 bytes from 37.58.58.140: icmp_seq=0 ttl=52 time=93.476 ms
1508 bytes from 37.58.58.140: icmp_seq=1 ttl=52 time=99.754 ms
1508 bytes from 37.58.58.140: icmp_seq=2 ttl=52 time=85.262 ms
1508 bytes from 37.58.58.140: icmp_seq=3 ttl=52 time=97.281 ms

--- 37.58.58.140 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 85.262/93.943/99.754/5.488 ms
Checking connectivity for repository (IPv4): http://mirror.fra10.de.leaseweb.net/opnsense/FreeBSD:13:amd64/23.7
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 852 packages processed.
All repositories are up to date.
Checking connectivity for host: mirror.fra10.de.leaseweb.net -> 2a00:c98:2030:a034::21
ping: UDP connect: No route to host
Checking connectivity for repository (IPv6): http://mirror.fra10.de.leaseweb.net/opnsense/FreeBSD:13:amd64/23.7
Updating OPNsense repository catalogue...
pkg: http://mirror.fra10.de.leaseweb.net/opnsense/FreeBSD:13:amd64/23.7/latest/meta.txz: Non-recoverable resolver failure
repository OPNsense has no meta file, using default settings
pkg: http://mirror.fra10.de.leaseweb.net/opnsense/FreeBSD:13:amd64/23.7/latest/packagesite.pkg: Non-recoverable resolver failure
pkg: http://mirror.fra10.de.leaseweb.net/opnsense/FreeBSD:13:amd64/23.7/latest/packagesite.txz: Non-recoverable resolver failure
Unable to update repository OPNsense
Error updating repositories!
***DONE***

----

output cli
root@OPNsense:~ # pkg -4 -d update -f
DBG(1)[49882]> pkg initialized
Updating OPNsense repository catalogue...
DBG(1)[49882]> PkgRepo: verifying update for OPNsense
DBG(1)[49882]> Pkgrepo, begin update of '/var/db/pkg/repo-OPNsense.sqlite'
DBG(1)[49882]> Request to fetch pkg+http://mirror.fra10.de.leaseweb.net/opnsense/FreeBSD:13:amd64/23.7/latest/meta.conf
DBG(1)[49882]> opening libfetch fetcher
DBG(1)[49882]> Fetch > libfetch: connecting
DBG(1)[49882]> Fetch: fetching from: http://mirror.fra10.de.leaseweb.net/opnsense/FreeBSD:13:amd64/23.7/latest/meta.conf with opts "i4"
DBG(1)[49882]> Fetch: fetching from: http://mirror.fra10.de.leaseweb.net/opnsense/FreeBSD:13:amd64/23.7/latest/meta.conf with opts "i4"
DBG(1)[49882]> Fetch: fetching from: http://mirror.fra10.de.leaseweb.net/opnsense/FreeBSD:13:amd64/23.7/latest/meta.conf with opts "i4"
DBG(1)[49882]> Request to fetch pkg+http://mirror.fra10.de.leaseweb.net/opnsense/FreeBSD:13:amd64/23.7/latest/meta.txz
DBG(1)[49882]> opening libfetch fetcher
DBG(1)[49882]> Fetch > libfetch: connecting
DBG(1)[49882]> Fetch: fetching from: http://mirror.fra10.de.leaseweb.net/opnsense/FreeBSD:13:amd64/23.7/latest/meta.txz with opts "i4"
DBG(1)[49882]> Fetch: fetching from: http://mirror.fra10.de.leaseweb.net/opnsense/FreeBSD:13:amd64/23.7/latest/meta.txz with opts "i4"
DBG(1)[49882]> Fetch: fetching from: http://mirror.fra10.de.leaseweb.net/opnsense/FreeBSD:13:amd64/23.7/latest/meta.txz with opts "i4"
pkg: http://mirror.fra10.de.leaseweb.net/opnsense/FreeBSD:13:amd64/23.7/latest/meta.txz: Operation timed out
repository OPNsense has no meta file, using default settings
DBG(1)[49882]> Request to fetch pkg+http://mirror.fra10.de.leaseweb.net/opnsense/FreeBSD:13:amd64/23.7/latest/packagesite.pkg
DBG(1)[49882]> opening libfetch fetcher
DBG(1)[49882]> Fetch > libfetch: connecting
DBG(1)[49882]> Fetch: fetching from: http://mirror.fra10.de.leaseweb.net/opnsense/FreeBSD:13:amd64/23.7/latest/packagesite.pkg with opts "i4"
DBG(1)[49882]> Fetch: fetching from: http://mirror.fra10.de.leaseweb.net/opnsense/FreeBSD:13:amd64/23.7/latest/packagesite.pkg with opts "i4"
DBG(1)[49882]> Fetch: fetcher chosen: http
Fetching packagesite.pkg: 100%  237 KiB 243.0kB/s    00:01   
DBG(1)[49882]> PkgRepo: extracting packagesite.yaml of repo OPNsense
DBG(1)[79533]> PkgRepo: extracting signature of repo in a sandbox
DBG(1)[49882]> Pkgrepo, reading new packagesite.yaml for '/var/db/pkg/repo-OPNsense.sqlite'
Processing entries: 100%
OPNsense repository update completed. 852 packages processed.
All repositories are up to date.

root@OPNsense:~ # opnsense-update
Nothing to do.  <- LIAR you have 27.5 installed and 27.6 is already available! ;)



Hey all,
Hey franco,

More analysis - looks like light at the end of the tunnel

It is a problem between IPv6 and DNS for MultiWAN kinda

How i found out

Code Select Expand



root@OPNsense:~ # fetch -v https://pkg.opnsense.org/FreeBSD:13:amd64/23.7/latest/Latest/nmap.pkg
resolving server address: pkg.opnsense.org:443

root@OPNsense:~ # fetch -v -4 https://pkg.opnsense.org/FreeBSD:13:amd64/23.7/latest/Latest/nmap.pkg
resolving server address: pkg.opnsense.org:443


root@OPNsense:~ # nano /etc/resolv.conf
domain orangetree
nameserver 127.0.0.1
nameserver 1.1.1.1
#nameserver 9.9.9.9 <- comment out WAN2 DNS
search orangetree

new result :

root@OPNsense:~ # fetch -v https://pkg.opnsense.org/FreeBSD:13:amd64/23.7/latest/Latest/nmap.pkg
resolving server address: pkg.opnsense.org:443

root@OPNsense:~ # fetch -v -4 https://pkg.opnsense.org/FreeBSD:13:amd64/23.7/latest/Latest/nmap.pkg
resolving server address: pkg.opnsense.org:443
SSL options: 82004854
Peer verification enabled
Using CA cert file: /usr/local/etc/ssl/cert.pem
Verify hostname
TLSv1.2 connection established using ECDHE-RSA-CHACHA20-POLY1305
Certificate subject: /CN=pkg.opnsense.org
Certificate issuer: /C=BE/O=GlobalSign nv-sa/CN=GlobalSign GCC R3 DV TLS CA 2020
requesting https://pkg.opnsense.org/FreeBSD:13:amd64/23.7/latest/Latest/nmap.pkg
remote size / mtime: 5787392 / 1697092665
nmap.pkg                                              5651 kB 5506 kBps    01s

drill pkg.freebsd.org SRV
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 51814
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;; pkg.freebsd.org.     IN      SRV

;; ANSWER SECTION:
pkg.freebsd.org.        300     IN      CNAME   pkgmir.geo.freebsd.org.

;; AUTHORITY SECTION:
geo.freebsd.org.        900     IN      SOA     gns1.freebsd.org. hostmaster.freebsd.org. 1 7200 1800 259200 900

;; ADDITIONAL SECTION:

;; Query time: 60 msec
;; SERVER: 1.1.1.1
;; WHEN: Sun Oct 15 11:01:08 2023
;; MSG SIZE  rcvd: 110
root@OPNsense:~ # drill pkg.opnsense.org SRV
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 23183
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; pkg.opnsense.org.    IN      SRV

;; ANSWER SECTION:
pkg.opnsense.org.       0       IN      SRV     2570 513

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 840 msec
;; SERVER: 9.9.9.9    <<< THIS LINE HAD TO MATCH THEN WAN GATEWAY 1 - BUT IT ROUTED OVER DNS OF WAN2
;; WHEN: Sun Oct 15 11:01:15 2023
;; MSG SIZE  rcvd: 50






and the same for pkg update -and pkg -4 update

pkg update time out

pkg -4 update

In new installations my external "DNS" (pihole) was not connected so I rule that out

in the chain of updating and upgrading OPNSENSE is something wrong with:

IF IPv6 does not work go to IPv4 instead
AND
IF you DO NOT find an IP ON DNS1
GOTO DNS2
IF you DO NOT find an IP ON DNS2
GOTO DNS 3

(3 nameserver allowed in /etc/resolv.conf)
I try to make  it a bit like gibbish programm code so maybe the problem becomes clear for any freebsd / opnsense programmer . Was there a Version change in fetch or pkg or the script for update in opnsense ?

Problem Now - Update is nown (pkg works kinda ) - but fetching is not initialized when I hit the button

Code Select Expand


***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 23.7.5 at Sun Oct 15 11:32:06 CEST 2023
Fetching changelog information, please wait... fetch: transfer timed out
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 852 packages processed.
All repositories are up to date.
Checking integrity... done (0 conflicting)
Your packages are up to date.
Checking for upgrades (28 candidates): .......... done
Processing candidates (28 candidates): .......... done
The following 28 package(s) will be affected (of 0 checked):

Installed packages to be UPGRADED:
libedit: 3.1.20221030,1 -> 3.1.20230828,1
opnsense: 23.7.5 -> 23.7.6
php82: 8.2.10 -> 8.2.11
php82-ctype: 8.2.10 -> 8.2.11
php82-curl: 8.2.10 -> 8.2.11
php82-dom: 8.2.10 -> 8.2.11
php82-filter: 8.2.10 -> 8.2.11
php82-gettext: 8.2.10 -> 8.2.11
php82-ldap: 8.2.10 -> 8.2.11
php82-mbstring: 8.2.10 -> 8.2.11
php82-pcntl: 8.2.10 -> 8.2.11
php82-pdo: 8.2.10 -> 8.2.11
php82-session: 8.2.10 -> 8.2.11
php82-simplexml: 8.2.10 -> 8.2.11
php82-sockets: 8.2.10 -> 8.2.11
php82-sqlite3: 8.2.10 -> 8.2.11
php82-xml: 8.2.10 -> 8.2.11
php82-zlib: 8.2.10 -> 8.2.11
py39-Babel: 2.12.1 -> 2.13.0
py39-boto3: 1.28.52 -> 1.28.62
py39-botocore: 1.31.52 -> 1.31.62
py39-cffi: 1.15.1 -> 1.16.0
py39-charset-normalizer: 3.2.0 -> 3.3.0
py39-numexpr: 2.8.6 -> 2.8.7
py39-s3transfer: 0.6.2 -> 0.7.0
py39-urllib3: 1.26.16,1 -> 1.26.17,1
ruby31-gems: 3.4.19 -> 3.4.20
syslog-ng: 4.3.1_1 -> 4.4.0

Number of packages to be upgraded: 28

24 MiB to be downloaded.


UPDATE : when i remove CHECK from "Prefer IPv4 over IPv6    Prefer to use IPv4 even if IPv6 is available" then i DO NOT to delete any nameserver "fetch -v -4" is working always

Hey franco,

thank you for reply  - i  had no time for more text when i sent the analyse. So thank you for havign a look.

Update: it is maybe connected to the WAN interface itself. - but i do not see the problem. I tried fire in the whole optimize settings from random forum users for the "em" interface. But it did not change anything.

I had overwrite MTU activated and deactivated it now, because in a freebsd forum i read something of mismatched mtu.

Since i switched that, traceroute is going much faster. So maybe it is a special network setting which I am missing out. But i don't get why everything (vm,s containers have prober connection via opnsense router firewall but itself has problems with the pkg.

So the WAN interface is the only pci-e  passthrough device for isolating it. I am going to change passthrough parameters tomorrow.

So what I can say for sure now:

Timeout on WAN (dedicated NIC)
No timeout on WAN2 (VLAN)

Was not before 23.7 in my opinion. Defnitly not before 23.x

Every new install of opnsense makes the same behavior. - to be fair i am also trying an install of opnsense to become more clear if this is a fact. 

Wtih best regards,
Bruce

Code Select Expand



oot@OPNsense:/usr/local/etc/pkg/repos # pkg rquery %n opnsense
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/23.7/latest/packagesite.pkg: Operation timed out
opnsense


oot@OPNsense:/usr/local/etc/pkg/repos # pkg -4 rquery %n opnsense
opnsense

root@OPNsense:/usr/local/etc/pkg/repos # pkg rquery %n | wc -l
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/23.7/latest/meta.txz: Operation timed out
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/23.7/latest/packagesite.txz: Operation timed out
       0



[self: No packages available to install matching 'opnsense']

This is the output now from the GUI

Code Select Expand


***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 23.7.5 at Fri Oct 13 06:49:16 CEST 2023
Fetching changelog information, please wait... fetch: transfer timed out
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 852 packages processed.
All repositories are up to date.
Checking integrity... done (0 conflicting)
Your packages are up to date.
Checking for upgrades (28 candidates): .......... done
Processing candidates (28 candidates): .......... done
The following 28 package(s) will be affected (of 0 checked):

Installed packages to be UPGRADED:
libedit: 3.1.20221030,1 -> 3.1.20230828,1
opnsense: 23.7.5 -> 23.7.6
php82: 8.2.10 -> 8.2.11
php82-ctype: 8.2.10 -> 8.2.11
php82-curl: 8.2.10 -> 8.2.11
php82-dom: 8.2.10 -> 8.2.11
php82-filter: 8.2.10 -> 8.2.11
php82-gettext: 8.2.10 -> 8.2.11
php82-ldap: 8.2.10 -> 8.2.11
php82-mbstring: 8.2.10 -> 8.2.11
php82-pcntl: 8.2.10 -> 8.2.11
php82-pdo: 8.2.10 -> 8.2.11
php82-session: 8.2.10 -> 8.2.11
php82-simplexml: 8.2.10 -> 8.2.11
php82-sockets: 8.2.10 -> 8.2.11
php82-sqlite3: 8.2.10 -> 8.2.11
php82-xml: 8.2.10 -> 8.2.11
php82-zlib: 8.2.10 -> 8.2.11
py39-Babel: 2.12.1 -> 2.13.0
py39-boto3: 1.28.52 -> 1.28.62
py39-botocore: 1.31.52 -> 1.31.62
py39-cffi: 1.15.1 -> 1.16.0
py39-charset-normalizer: 3.2.0 -> 3.3.0
py39-numexpr: 2.8.6 -> 2.8.7
py39-s3transfer: 0.6.2 -> 0.7.0
py39-urllib3: 1.26.16,1 -> 1.26.17,1
ruby31-gems: 3.4.19 -> 3.4.20
syslog-ng: 4.3.1_1 -> 4.4.0

Number of packages to be upgraded: 28

24 MiB to be downloaded.
self: No packages available to install matching 'opnsense'
***DONE***


self: No packages available to install matching 'opnsense' ?

AND if I start a PING job on dns-root.de it is stopping after 1 ping from they GUI

Firewall analyses pass to dns-root.de , pass to 104.21.22.179 (ip of dns-root.de)

The source is up, dns is working , fw is working - It's a pain in the ass -

Anyone here who is able to debug pkg-update ? DNS resolution , Download Gateway etc..

+ Info - The Interface Diagnostics tool stops after one ping - The tool changed totally and is now producing ping jobs. but as mentioned they get stuck, while ping from console is working without problem.

+ Info I AM NOT ALONE
https://forum.opnsense.org/index.php?topic=33202.0

+ Info Investigating freebsd settings at the moment

/usr/local/etc/pkg.conf
https://forums.freebsd.org/threads/forcing-pkg-bootstrap-to-use-ip4-not-ipv6.78223/

+ Info finding more wired stuff
https://www.reddit.com/r/OPNsenseFirewall/comments/mwgl7r/update_issue/

my /etc/resolf.conf

Code Select Expand

root@OPNsense:~ # cat /etc/resolv.conf
domain orangetree
nameserver 127.0.0.1
nameserver 1.1.1.1
nameserver 9.9.9.9
search orangetree

Update forcing IPv4

Code Select Expand


root@OPNsense:~ # pkg -4 update
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.


Upgrade forcing IPv4

Code Select Expand

root@OPNsense:~ # pkg -4 upgrade
Updating OPNsense repository catalogue...
Fetching meta.conf: 100%    163 B   0.2kB/s    00:01   
pkg: https://mirror.dns-root.de/opnsense/FreeBSD:13:amd64/23.7/latest/packagesite.pkg: Operation timed out
Fetching packagesite.txz: 100%  237 KiB 242.5kB/s    00:01   
Processing entries: 100%
OPNsense repository update completed. 851 packages processed.
All repositories are up to date.
Checking for upgrades (0 candidates): 100%
Processing candidates (0 candidates): 100%
Checking integrity... done (0 conflicting)
Your packages are up to date.

Hi newsense!

First of all thank you for looking into it.

I try to provide you with more information.

I dsiabled IPv6 a while ago: https://www.thomas-krenn.com/en/wiki/OPNsense_disable_IPv6

Never the less i did activate it in the past and then now activate it again.
Setting: "Prefer to use IPv4 even if IPv6 is available is checked"
was before like that - - was unchecked when i succeded via gateway two - i now checked as well as dhcpv6 is deactivcated for interface of Gateway No. 2

All set know is still behaving like before

Fetched timed out ..
Update circling forever and Status is cricling forever

Best regards

So i tried half night -

this is the most workable output I can get.

Code Select Expand


***GOT REQUEST TO AUDIT CONNECTIVITY***
Currently running OPNsense 23.7.4 at Thu Oct  5 07:02:50 CEST 2023
Checking connectivity for host: mirror.ams1.nl.leaseweb.net -> 5.79.108.33
PING 5.79.108.33 (5.79.108.33): 1500 data bytes

--- 5.79.108.33 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
Checking connectivity for repository (IPv4): http://mirror.ams1.nl.leaseweb.net/opnsense/FreeBSD:13:amd64/23.7
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 851 packages processed.
All repositories are up to date.
Checking connectivity for host: mirror.ams1.nl.leaseweb.net -> 2001:1af8:4700:b210::33
PING6(1548=40+8+1500 bytes) fe80::6a05:caff:fe20:c61c%em0 --> 2001:1af8:4700:b210::33

--- 2001:1af8:4700:b210::33 ping6 statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
Checking connectivity for repository (IPv6): http://mirror.ams1.nl.leaseweb.net/opnsense/FreeBSD:13:amd64/23.7
Updating OPNsense repository catalogue...


Ping same mirror

Code Select Expand


root@OPNsense:~ # ping mirror.ams1.nl.leaseweb.net
PING mirror.ams1.nl.leaseweb.net (5.79.108.33): 56 data bytes
64 bytes from 5.79.108.33: icmp_seq=0 ttl=50 time=48.138 ms
64 bytes from 5.79.108.33: icmp_seq=1 ttl=50 time=60.030 ms
64 bytes from 5.79.108.33: icmp_seq=2 ttl=50 time=49.899 ms
--- mirror.ams1.nl.leaseweb.net ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 48.138/52.689/60.030/5.240 ms


Ping after setting to another mirror

Code Select Expand


ping mirror.fra10.de.leaseweb.net
PING mirror.fra10.de.leaseweb.net (37.58.58.140): 56 data bytes
64 bytes from 37.58.58.140: icmp_seq=0 ttl=47 time=49.068 ms
64 bytes from 37.58.58.140: icmp_seq=1 ttl=47 time=51.030 ms
64 bytes from 37.58.58.140: icmp_seq=2 ttl=47 time=44.430 ms
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 37.108/46.482/51.030/5.251 ms


New Mirror

Code Select Expand


***GOT REQUEST TO AUDIT CONNECTIVITY***
Currently running OPNsense 23.7.4 at Thu Oct  5 07:10:28 CEST 2023
Checking connectivity for host: mirror.fra10.de.leaseweb.net -> 37.58.58.140
PING 37.58.58.140 (37.58.58.140): 1500 data bytes

--- 37.58.58.140 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
Checking connectivity for repository (IPv4): http://mirror.fra10.de.leaseweb.net/opnsense/FreeBSD:13:amd64/23.7
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 851 packages processed.
All repositories are up to date.
Checking connectivity for host: mirror.fra10.de.leaseweb.net -> 2a00:c98:2030:a034::21
ping: UDP connect: No route to host
Checking connectivity for repository (IPv6): http://mirror.fra10.de.leaseweb.net/opnsense/FreeBSD:13:amd64/23.7
Updating OPNsense repository catalogue...
pkg: http://mirror.fra10.de.leaseweb.net/opnsense/FreeBSD:13:amd64/23.7/latest/meta.txz: No route to host
repository OPNsense has no meta file, using default settings
pkg: http://mirror.fra10.de.leaseweb.net/opnsense/FreeBSD:13:amd64/23.7/latest/packagesite.pkg: No route to host
pkg: http://mirror.fra10.de.leaseweb.net/opnsense/FreeBSD:13:amd64/23.7/latest/packagesite.txz: No route to host
Unable to update repository OPNsense
Error updating repositories!
***DONE***


Third time mirror change

Code Select Expand


***GOT REQUEST TO AUDIT CONNECTIVITY***
Currently running OPNsense 23.7.4 at Thu Oct  5 07:14:19 CEST 2023
Checking connectivity for host: mirror.dns-root.de -> 172.67.206.93
PING 172.67.206.93 (172.67.206.93): 1500 data bytes

--- 172.67.206.93 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
Checking connectivity for repository (IPv4): https://mirror.dns-root.de/opnsense/FreeBSD:13:amd64/23.7
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 851 packages processed.
All repositories are up to date.
Checking connectivity for host: mirror.dns-root.de -> 2606:4700:3036::ac43:ce5d
ping: UDP connect: No route to host
Checking connectivity for repository (IPv6): https://mirror.dns-root.de/opnsense/FreeBSD:13:amd64/23.7
Updating OPNsense repository catalogue...
pkg: https://mirror.dns-root.de/opnsense/FreeBSD:13:amd64/23.7/latest/meta.txz: No route to host
repository OPNsense has no meta file, using default settings
pkg: https://mirror.dns-root.de/opnsense/FreeBSD:13:amd64/23.7/latest/packagesite.pkg: No route to host
pkg: https://mirror.dns-root.de/opnsense/FreeBSD:13:amd64/23.7/latest/packagesite.txz: No route to host
Unable to update repository OPNsense
Error updating repositories!
***DONE***


I have MultiWAN (Deactivated Gateway 1 to make changing the mirror not take forever
I have IPv6 deactivated.. if this helps - i tried to activate it so only the firewall host can use it, but with close to same results. As if pkg update is using another ecosystem for DNS (?)

Setup was workign finde since Opnsense 16 -I renewded the whole image at Opnsense 20 and tried to make a fresh install -

Virtualized with Proxmox QUEMU for 5 years without any problems.

I 'd like to focus on the pkg update mechanism and the not possible resolving, while the firewall resolves everything fine.

UPDATE

After changing the 1t Gateway as off and added ipv6 compatibility to Gateway 2 it still put out negative connection logs, but updated after hiting the button. - I guess it is a problem on Gatweway 1 which is MAIN WAN.

Since the problem occured also with only one WAN after fresh install, I would consider this now a RULE or OUTBOUND PROBLEM -

I did not change the configuration . so something must be changed during the Updates.

Any Ideas on creating a Outbound rule for pkg to test this - I tried some stuff, but failed, since I still have no clue how to debug the system wenn internal program like ping or traceroute (in opnsense) is still working.

New output

Code Select Expand


***GOT REQUEST TO AUDIT CONNECTIVITY***
Currently running OPNsense 23.7.5 at Thu Oct  5 07:24:55 CEST 2023
Checking connectivity for host: mirror.dns-root.de -> 104.21.22.179
PING 104.21.22.179 (104.21.22.179): 1500 data bytes
1508 bytes from 104.21.22.179: icmp_seq=0 ttl=57 time=91.703 ms
1508 bytes from 104.21.22.179: icmp_seq=1 ttl=57 time=73.999 ms
1508 bytes from 104.21.22.179: icmp_seq=2 ttl=57 time=82.238 ms
1508 bytes from 104.21.22.179: icmp_seq=3 ttl=57 time=75.749 ms

--- 104.21.22.179 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 73.999/80.922/91.703/6.940 ms
Checking connectivity for repository (IPv4): https://mirror.dns-root.de/opnsense/FreeBSD:13:amd64/23.7
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 851 packages processed.
All repositories are up to date.
Checking connectivity for host: mirror.dns-root.de -> 2606:4700:3034::6815:16b3
ping: UDP connect: No route to host
Checking connectivity for repository (IPv6): https://mirror.dns-root.de/opnsense/FreeBSD:13:amd64/23.7
Updating OPNsense repository catalogue...
pkg: https://mirror.dns-root.de/opnsense/FreeBSD:13:amd64/23.7/latest/meta.txz: No route to host
repository OPNsense has no meta file, using default settings
pkg: https://mirror.dns-root.de/opnsense/FreeBSD:13:amd64/23.7/latest/packagesite.pkg: No route to host
pkg: https://mirror.dns-root.de/opnsense/FreeBSD:13:amd64/23.7/latest/packagesite.txz: No route to host
Unable to update repository OPNsense

Error updating repositories!
***DONE***

Hi there - I had it running for 2 years with a major new isntallation last year (when introducing ZFS)

Basically since 23.7 i have massive problems.

ping works

pkg update -f

Updating update catalogue for eternal.

I cant run updates anymore stuck on 23.7.4

That's already one of the nastiest one so far this year. I do not even have a clue what is happing - Basicall my config on a fresh installed = same output.

That setup was running for years.

Recreating the failure makes updates stoping as well.

Fetching timed out -

I tried I guess all the stuff written somewhere in the internet, but nothing helps. What i do not get, why in 23.7.4 - and next thing, why cannot I not solve such an "easy" problem ? :) Network there, Nameserver there, Update on the Leaswebserver alvailable but no fetching.

an i do not have the debug skilly for freebsd nor opnsense to find why it is timeouting suddenly.

I tried to disable the hole firewall (pfctl) changed and checked DNS -

Fetch will not work at all. Even not after setting pk

Any help appriciated...

[FIX]

Hi there,

I have an Issue with a watchdog timeout error - but the worse thing is , this is my WAN device and opnsense refuses to boot  (or the timout is too high - waited like 2 Minutes)

I felt like in a loop.
Problem like this:
Problem like: https://www.doyler.net/security-not-included/re0-watchdog-timeout-error

I also tried compiled file from here: https://github.com/anignatev/if_re

22.1 was still working - it updated directly to 22.1.2 and suddenly it was not working anymore. I had to roll back to 21.7.8 from yesterday to avoid any longer downtime.

Anyone having similar issue with this on 22.1.2 ?
Anyone got a working copiled if_re.ko for freebsd 13.0 / opnsense 22.1.2?

Btw great work to all contributers and makers of Opnsense! Because that's the first Update error since enrolling OPNsense 3 years ago.

FIX

Problem was mentioned on one of the Update Pages before updating to 22.1

and it is mentioned here in the forum: https://forum.opnsense.org/index.php?topic=26627.0

Needed to install System -> Firmware -> Plugins - > os-realtek-re

EOF