Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - pantalonesijf

Pages1
#1
23.1 Legacy Series / Re: Can't check for updates. OPNsense using IPv6 even though IPv6 is disabled?
March 24, 2023, 11:36:26 PM
[[ UPDATE ]] Sort of fixed... broken updater fixed by fully enabling IPv6, pulling a DHCP6 lease and rebooting.

In my opinion there still is a bug in OPNsense which somehow breaks future updates over IPv4 if you ever have functional IPv6 and then disable it. Apparently once you've used IPv6 you cannot disable it?!?
#2
23.1 Legacy Series / Re: Can't check for updates. OPNsense using IPv6 even though IPv6 is disabled?
March 24, 2023, 04:31:30 PM
Yes.

System -> Settings -> General -> Networking -> Prefer IPv4 over IPv6 (Prefer to use IPv4 even if IPv6 is available) is Enabled
#3
23.1 Legacy Series / Can't check for updates over IPv4. Updater using IPv6 even though IPv6 disabled.
March 24, 2023, 02:15:24 PM
I've been running OPNsense and loving it for years. I just decided my firewall needed an upgrade so I did a fresh install of the latest (community) OPNsense on new hardware. Everything was working fine for a week or so until recently when I tried to update and noticed it couldn't contact the OPNsenser repo.

I know updates were working fine for a while because I already updated once and installed a few packages.

Everything else works fine. Routing, DNS, NAT is all working perfectly.

  • Attempts to update via CLI just hang
  • Changing repositories or type to dev does not help
  • I can download from the repositories just fine from any endpoint behind the firewall
  • Firewall can reach the repositories just fine via shell ping
  • My ISP initially gave me a DHCP6 lease but I've since disabled IPv6
  • Everything seems to be fully functional over IPv4 except updates
  • Re-enabling IPv6 doesn't fix the issue
  • All hardware offloading and vlan filtering are disabled
  • No blocking outbound firewall rules
  • No IDS or IPS in use (disabled)
  • I have tried various mirrors and rebooted.
  • System -> Settings -> General -> Networking -> Prefer IPv4 is Enabled

Firmware status: Could not find the repository on the selected mirror.

Code Select
***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 23.1.4_1 at Fri Mar 24 06:14:47 MDT 2023
Fetching changelog information, please wait... fetch: transfer timed out
Updating OPNsense repository catalogue...
Fetching meta.txz: . done
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/23.1/latest/packagesite.pkg: Operation timed out
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/23.1/latest/packagesite.txz: Operation timed out
Unable to update repository OPNsense
Error updating repositories!
pkg: Repository OPNsense cannot be opened. 'pkg update' required
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***

I can resolve and ping any of the repositories
Code Select
ping pkg.opnsense.org
PING pkg.opnsense.org (89.149.211.205): 56 data bytes
64 bytes from 89.149.211.205: icmp_seq=0 ttl=52 time=155.210 ms
64 bytes from 89.149.211.205: icmp_seq=1 ttl=52 time=155.246 ms


When I did a health check it looks like the updater is trying to use IPv6 for some reason. Originally my ISP gave me an IPv6 lease but I'm not ready to use it so I've disabled IPv6 everywhere and turned off DHCP6
Code Select
--- 89.149.210.205 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 155.331/155.370/155.397/0.029 ms
Checking connectivity for repository (IPv4): https://pkg.opnsense.org/FreeBSD:13:amd64/23.1
Updating OPNsense repository catalogue...
Fetching meta.txz: . done
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/23.1/latest/packagesite.pkg: Operation timed out
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/23.1/latest/packagesite.txz: Operation timed out
Unable to update repository OPNsense
Error updating repositories!
Checking connectivity for host: pkg.opnsense.org -> 2001:1af8:4f00:a005:5::
ping: UDP connect: No route to host
Checking connectivity for repository (IPv6): https://pkg.opnsense.org/FreeBSD:13:amd64/23.1
Updating OPNsense repository catalogue...
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/23.1/latest/meta.txz: Non-recoverable resolver failure
repository OPNsense has no meta file, using default settings
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/23.1/latest/packagesite.pkg: Non-recoverable resolver failure
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/23.1/latest/packagesite.txz: Non-recoverable resolver failure
Unable to update repository OPNsense
Error updating repositories!
***DONE***

Connectivity Audit is fun... if I ssh in to the firewall I am able to connect to www.mirrorservice.org but the health check seems unable to do so.
Code Select
***GOT REQUEST TO AUDIT CONNECTIVITY***
Currently running OPNsense 23.1.4_1 at Fri Mar 24 10:38:58 MDT 2023
Checking connectivity for host: www.mirrorservice.org -> 212.219.56.184
PING 212.219.56.184 (212.219.56.184): 1500 data bytes
1508 bytes from 212.219.56.184: icmp_seq=0 ttl=45 time=121.136 ms
1508 bytes from 212.219.56.184: icmp_seq=1 ttl=45 time=122.122 ms
1508 bytes from 212.219.56.184: icmp_seq=2 ttl=45 time=120.841 ms
1508 bytes from 212.219.56.184: icmp_seq=3 ttl=45 time=120.425 ms

--- 212.219.56.184 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 120.425/121.131/122.122/0.625 ms
Checking connectivity for repository (IPv4): https://www.mirrorservice.org/sites/opnsense.org/FreeBSD:13:amd64/23.1
Updating OPNsense repository catalogue...
pkg: https://www.mirrorservice.org/sites/opnsense.org/FreeBSD:13:amd64/23.1/latest/meta.txz: Operation timed out
repository OPNsense has no meta file, using default settings
pkg: https://www.mirrorservice.org/sites/opnsense.org/FreeBSD:13:amd64/23.1/latest/packagesite.pkg: Operation timed out
pkg: https://www.mirrorservice.org/sites/opnsense.org/FreeBSD:13:amd64/23.1/latest/packagesite.txz: Operation timed out
Unable to update repository OPNsense
Error updating repositories!
Checking connectivity for host: www.mirrorservice.org -> 2001:630:341:12::184
ping: UDP connect: No route to host
Checking connectivity for repository (IPv6): https://www.mirrorservice.org/sites/opnsense.org/FreeBSD:13:amd64/23.1
Updating OPNsense repository catalogue...
pkg: https://www.mirrorservice.org/sites/opnsense.org/FreeBSD:13:amd64/23.1/latest/meta.txz: Non-recoverable resolver failure
repository OPNsense has no meta file, using default settings
pkg: https://www.mirrorservice.org/sites/opnsense.org/FreeBSD:13:amd64/23.1/latest/packagesite.pkg: Non-recoverable resolver failure
pkg: https://www.mirrorservice.org/sites/opnsense.org/FreeBSD:13:amd64/23.1/latest/packagesite.txz: Non-recoverable resolver failure
Unable to update repository OPNsense
Error updating repositories!
***DONE***

Any help would be appreciated.

[[ UPDATE ]] sort of fixed but not really. I posted this to reddit and a user suggested I try fully enabling IPv6, pulling a DHCP6 lease, etc. which did work to solve the failure to update issue.

In my opinion there still is a bug in OPNsense which somehow breaks updates over IPv4 if you ever have functional IPv6.
Pages1