cannot manage to upgrade from 22.1.3

Started by opnnewbie, June 26, 2022, 03:21:12 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
June 26, 2022, 03:21:12 AM Last Edit: June 27, 2022, 06:06:36 PM by opnnewbie
I am using opnSense since last December and I updated/upgraded it a couple of times without any issues, however, since 22.1.3, I am not able to update/upgrade it anymore, and I've been trying for a month or so,

Code Select
Enter an option: 12

Fetching change log information, please wait... fetch: transfer timed out

This will automatically fetch all available updates and apply them.

Proceed with this action? [y/N]: y

Updating OPNsense repository catalogue...
pkg-static: http://mirror.sfo12.us.leaseweb.net/opnsense/FreeBSD:13:amd64/22.1/latest/meta.txz: No address record
repository OPNsense has no meta file, using default settings
pkg-static: http://mirror.sfo12.us.leaseweb.net/opnsense/FreeBSD:13:amd64/22.1/latest/packagesite.txz: No address record
Unable to update repository OPNsense
Error updating repositories!
Starting web GUI...done.
Generating RRD graphs...done.

No matter what, I always get "fetch: transfer timed out" either from the GUI or the console, and it takes a lot of minutes for opnSense to report the "failed update". My connection is not the best I admit, but, while opnSense is running the update process I manage to access from my browser all the resources opnSense cannot access; eg:

https://www.opnsense.org
http://mirror.sfo12.us.leaseweb.net/opnsense/
https://mirror.sfo12.us.leaseweb.net/opnsense/

... etc. My browser in on a workstation behind opnSense like my server which is running BIND from opnSense unbound. Although I often have time-outs due to a not-so-good connection I can work everyday with it, moreover, today I just updated arch-linux and manjaro system behind opnSense using the same BIND from unbound setup that I am running for almost half-a-year and I have no problems at all. But I cannot manage to update opnSense from 22.1.3 to 22.1.9 or newer.

And I cannot understand why, if opnSense gets DNS time-outs, it takes so long to complain, or, it it gets a time-out for the change-log information at beginning it still insists to proceed with the update sequence. It seems to me if the change-log cannot be retrieved, due to a time-out-or-whatever-else, and if the change-log is a mandatory requirement for the update sequence why it is not aborted/interrupted after n-time-out seconds. 60 seconds should be enough to inform the user the update cannot proceed for whatever reason, 5-10 minutes ... is totally out-of-question. It is a simple check.

Question:

Is there a way to update opnSense from the CLI from a downloaded opnSense image ?

Can I manually download the packages from the mirror and place them in the opnSense package cache ? (I suppose /var/cache/whatever) ... will opnSense use them or will it insist on downloading them ?
June 26, 2022, 08:40:20 PM #1
For now, try manually selecting a different mirror from the Firmware settings page?
OPNsense 24.7.7 running on:
Dell Optiplex 3050
Intel I5-7600 @ 3.5Ghz (4 Cores)
Intel I350-T4 Nic
8G DDR4
256G SSD
June 27, 2022, 05:45:57 AM #2
Quote from: axsdenied on June 26, 2022, 08:40:20 PM
For now, try manually selecting a different mirror from the Firmware settings page?

Thanks for your reply.

Already did it: same issue with every other one.

I think the problem is within unbound config for the opnsense box: I enabled log queries for unbound and I can see every query being requested from BIND from my server. But, if within the opnsense box I do: host whatever.com etc there is nothing logged, so, there is a problem with:

a) restricting unbound to answer queries within

System / Settings / General / DNS server options:  Do not use the local DNS service as a nameserver for this system ... is DISABLED; OK, not this one

b) allowed interface

Services / Unbound DNS / General / Network Interfaces: LAN only ... OK

c) some unbound access list

Access List Name    Action    Network
Internal    Allow    127.0.0.1/8
Internal    Allow    ::1/64
Internal    Allow    #.#.#.1/29 ... my (sanitized) LAN address

aclDNS (the only one ACL present):
action allow
networks
#.#.#.# CDIR 0 (my (sanitized) LAN address) already-NATed IntraNet DNS server; ie: all BIND queries are NATED to this host only by another router on LAN ... working as expected because I can surf the web etc
127.0.0.1 CDIR 8 ... just added this one in case the internal one is being overrided by this ACL ... to no avail; same behavior

Question: I within opnSense shell I do host ibm.com ... from which address should this query be coming to unbound ? I presume 127.0.0.1 am I right ?

My /etc/resolv.conf (in opnSense of course) is set to 127.0.0.1
June 27, 2022, 08:16:49 AM #3
Quote from: axsdenied on June 26, 2022, 08:40:20 PM
For now, try manually selecting a different mirror from the Firmware settings page?

OK. I finally found the issue: the updater/installer is querying the System / Settings/ General / DNS servers (which in my case are all blank) since I am using unbound with DNS over TLS and so the servers are specified in their own section within the service settings. That's why doing host ibm.com etc (within the opnSense shell) never showed up on the DNS log.

For starters I set one of those general DNS servers ti 1.1.1.1 and managed to update to 22.1.9 as usual -same mirror, no problems at all.

Since I implemented DNS over TLS a couple of months ago I never managed to update opnSense again, but it never occurred to me that was the issue to begin with, my fault ... sorry guys !

Now, specific question is, how do I manage to direct internal DNS queries to unbound instead to some of these general servers which I want to have them set to none since all my show is with unbound DNS over TLS ?
June 27, 2022, 04:57:48 PM #4
Just as a point of clarification, define what you mean by "internal DNS queries".  i.e. internal domains that only resolve locally? Or do you mean how to point all devices to unbound instead of external DNS? Or something else? :)
OPNsense 24.7.7 running on:
Dell Optiplex 3050
Intel I5-7600 @ 3.5Ghz (4 Cores)
Intel I350-T4 Nic
8G DDR4
256G SSD
June 27, 2022, 06:06:08 PM #5
Quote from: axsdenied on June 27, 2022, 04:57:48 PM
Just as a point of clarification, define what you mean by "internal DNS queries".  i.e. internal domains that only resolve locally? Or do you mean how to point all devices to unbound instead of external DNS? Or something else? :)

Internet <- (WAN)[opnSense](LAN) <- [internal-router] <- [switch] <- [server-running-BIND-resolving-from-opnSense-unbound] + workstations all resolving from BIND (ie: nothing resolves directly from opnSense unbound)

works flawlessly; only use case not working: opnSense internal lookups (eg: updates): not using/detecting unbound running; they go looking up the DNS servers in the general settings

Print
Go Up Pages1
User actions