What to do if pfSense says that it is unable to check for updates.
The situation was:
- pfSense was throwing the error message “Unable to check for updates” at the dashboard and at the “Auto Update”-tab.
- traffic to and from the internet was passing through my pfSense-box
- DNS-resolution was working for hosts at the LAN-interface
The first thing which wasn’t correctly configured was the “Updater Settings” under “firmware” – “Updater Settings”-tab. I needed to select the “Firmware Branch” with the drop-down labeled “Default Auto Update URLs”. In my case it’s “pfSense amd64 stable updates (current architecture)” which automatically populates the “Base URL” in the “Firmware Auto Update URL”-section and also ticks “Use an unofficial server for firmware upgrades” (btw. why unofficial?).
After that, the situation was the same as above, only that I now had the Base URL “http://updates.pfsense.org/_updaters/amd64” in the Update URL text box. In the pfSense-diagnostics my pfSense-box was able to ping and traceroute “updates.pfsense.org”. I’ve been able to resolve and browse that URL from a PC behind the LAN-interface but pfSense was still complaining that it is “Unable to check for updates” at the dashboard and at the “Auto Update”-tab.
Then I have corrected another issue at the WAN-interface configuration. Since my pfSense-box is sitting between a FritzBox and my local networks, I have unticked “Block private networks” since my gateway is in a private IP-address-range (10.0.0.X/24). I still wonder why my setup was working initially because as I understand this option, it should have blocked traffic from all private IP-ranges. I also have unticked “Block bogon networks” because (in my case) the source will allways be my FritzBox in 10.0.0.X/24.
The root of the problem was hiding in the settings for the DNS-forwarder under “Services” – “DNS-Forwarder”. Since the option “Strict Interface Binding” was selected, I had to select “localhost” under “Interfaces” for that my pfSense-box was able to resolve “updates.pfsense.org”. After that change everything was working fine and I’ve been able to run the “Auto Updater” successfully.
Thanks for this article! This fixed one of my pfsense installations which stopped showing the auto-update status after I set up DNSforwarder. Without realizing it, I had checked LAN/LANipv6 which made the auto-updater stop working. Checking ALL interfaces made this work again.
Thank you for your comment, glad to help you, you are very welcome! =)
You might want to check if you now offer DNS on your WAN-Interface too, which might expose your DNS-server to the internet.
Had a problem with the updater not working on a CARP slave and found I accidentally set the net bits to /1 on the WAN. Fixed a lot of annoyances when I corrected that. ;-p