Ubuntu Apt-Get Update Not Working with pfSense vlan Setup

I am setting up a VM for the Unifi controller for my first Unifi AP, but I am unable to update my Ubuntu server VM, and therefore, I have not installed the Unifi controller software yet. I am running Proxmox with a pfSense VM and created a Unifi VM with VLAN to access it all from.

If I add the vmbr0 bridge as a network device and then add a second network device with the VLAN tag, it works. However, if I only use the network device with the VLAN tag by itself I am not able to update the VM. My guess is that it is a DNS and/or firewall rules problem related to how I have things currently setup.

I have added the related information below, however, please let me know if I didn’t include something needed to fix this problem. Thanks in advance for any help with this issue.

Current pfSense Setup:

image1484×761 74 KB

image1442×645 60.8 KB

image1918×3401 527 KB

image1918×1566 282 KB

image1918×2844 567 KB

image1918×2806 524 KB

image1920×536 60.3 KB

$ sudo apt-get update
Err:1 Index of /ubuntu focal InRelease
Cannot initiate the connection to archive.ubuntu.com:80 (2001:67c:1360:8001::23). - connect (101: Network is unreachable) Cannot initiate the connection to archive.ubuntu.com:80 (2001:67c:1360:8001::24). - connect (101: Network is unreachable) Could not connect to archive.ubuntu.com:80 (91.189.88.142), connection timed out Could not connect to archive.ubuntu.com:80 (91.189.88.152), connection timed out
Err:2 Index of /ubuntu focal-updates InRelease
Cannot initiate the connection to archive.ubuntu.com:80 (2001:67c:1360:8001::23). - connect (101: Network is unreachable) Cannot initiate the connection to archive.ubuntu.com:80 (2001:67c:1360:8001::24). - connect (101: Network is unreachable)
Err:3 Index of /ubuntu focal-backports InRelease
Cannot initiate the connection to archive.ubuntu.com:80 (2001:67c:1360:8001::23). - connect (101: Network is unreachable) Cannot initiate the connection to archive.ubuntu.com:80 (2001:67c:1360:8001::24). - connect (101: Network is unreachable)
Err:4 Index of /ubuntu focal-security InRelease
Cannot initiate the connection to archive.ubuntu.com:80 (2001:67c:1360:8001::23). - connect (101: Network is unreachable) Cannot initiate the connection to archive.ubuntu.com:80 (2001:67c:1360:8001::24). - connect (101: Network is unreachable)
Reading package lists… Done
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/focal/InRelease Cannot initiate the connection to archive.ubuntu.com:80 (2001:67c:1360:8001::23). - connect (101: Network is unreachable) Cannot initiate the connection to archive.ubuntu.com:80 (2001:67c:1360:8001::24). - connect (101: Network is unreachable) Could not connect to archive.ubuntu.com:80 (91.189.88.142), connection timed out Could not connect to archive.ubuntu.com:80 (91.189.88.152), connection timed out
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/focal-updates/InRelease Cannot initiate the connection to archive.ubuntu.com:80 (2001:67c:1360:8001::23). - connect (101: Network is unreachable) Cannot initiate the connection to archive.ubuntu.com:80 (2001:67c:1360:8001::24). - connect (101: Network is unreachable)
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/focal-backports/InRelease Cannot initiate the connection to archive.ubuntu.com:80 (2001:67c:1360:8001::23). - connect (101: Network is unreachable) Cannot initiate the connection to archive.ubuntu.com:80 (2001:67c:1360:8001::24). - connect (101: Network is unreachable)
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/focal-security/InRelease Cannot initiate the connection to archive.ubuntu.com:80 (2001:67c:1360:8001::23). - connect (101: Network is unreachable) Cannot initiate the connection to archive.ubuntu.com:80 (2001:67c:1360:8001::24). - connect (101: Network is unreachable)
W: Some index files failed to download. They have been ignored, or old ones used instead.

Some Thing’s I’ve Tried:
1. sudo -E apt-get -o Acquire::ForceIPv4=true update
2. sudo apt-get -o Acquire::option=value update
1. same results
1. Could not connect & Failed to fetch errors
3. ping -n 8.8.8.8
1. PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
2. 64 bytes from 8.8.8.8: icmp_seq=1 ttl=112 time=18.2 ms
3. 64 bytes from 8.8.8.8: icmp_seq=2 ttl=112 time=15.1 ms
4. 64 bytes from 8.8.8.8: icmp_seq=3 ttl=112 time=14.6 ms
5. 64 bytes from 8.8.8.8: icmp_seq=4 ttl=112 time=15.4 ms
6. ^C
7. — 8.8.8.8 ping statistics —
8. 4 packets transmitted, 4 received, 0% packet loss, time 3004ms
9. rtt min/avg/max/mdev = 14.645/15.828/18.198/1.391 ms
4. ping archive.ubuntu.com
1. PING archive.ubuntu.com (91.189.88.152) 56(84) bytes of data.
2. 64 bytes from actiontoad.canonical.com (91.189.88.152): icmp_seq=1 ttl=50 time=121 ms
3. 64 bytes from actiontoad.canonical.com (91.189.88.152): icmp_seq=2 ttl=50 time=124 ms
4. 64 bytes from actiontoad.canonical.com (91.189.88.152): icmp_seq=3 ttl=50 time=121 ms
5. 64 bytes from actiontoad.canonical.com (91.189.88.152): icmp_seq=4 ttl=50 time=124 ms
6. ^C
7. — archive.ubuntu.com ping statistics —
8. 4 packets transmitted, 4 received, 0% packet loss, time 10227ms
9. rtt min/avg/max/mdev = 121.160/122.770/124.346/1.477 ms

Does internet access work from your management vlan ? You might want to define a gateway, difficult to follow your setup though so it could well be something else.

I don’t have a front-end setup on it, but I am able to get the following mixed results. Is there anything specific that I can provide to help narrow down the focus?

image1244×958 155 KB

image1156×882 115 KB

The only gateway setup I have defined is in the graphic below. Is there anywhere else I should have added a specific gateway setup? I thought that the interfaces would use this as the upstream gateway.

image1440×364 31.3 KB

yeah if you only have one gateway it will default to it in your rules, which is what I was hinting at.

If my understanding is correct the DNS Resolver uses Unbound to resolve queries and the DNS Forwarder uses whatever has been defined, Quad 9 in your case. If both are running they cannot each use port 53.

In your setup it looks to me that you are trying to configure DNS Resolver to use Quad9 and something is not right.

Perhaps test out the DNS forwarder and see if it works then use only DNS Resolver with Unbound to see if it works. It might move you along a few steps

I currently do not have DNS forwarder enabled, but will give it another look. However, it was my understanding that DNS resolver was the newer preferred method, with DNS forwarder being the previous method. In either case, it doesn’t mean that I have either setup correctly. Thanks, I will look at it again.

image1452×860 128 KB

Ok just skimming this Configuring the DNS Resolver — pfSense Documentation you ought to be able to use Quad9 with Resolver. On my setup, I have both running, the Resolver works with my VPN provider and the Forwarder goes out my ISP using Quad9. Though just to minimise the things that can go wrong test the resolver with Unbound and the Forwarder with Quad9, it might help to pin point what’s going wrong.

Do you have Suricata or Snort running? I have found that the ET rules will often block linux package installers until you go through and except them from the rules. Not sure if this is the issue though, just something I’ve seen on my system.

Thanks, neogrid, for the link, I’ll definitely check it out. Also, thanks for the suggestion, Greg_E, I currently don’t have either installed yet, but I will keep it in mind when I do get around to adding them.