Lost WebGui Access after upgrade

Gertjan

@ashima said in Lost WebGui Access after upgrade:

It just gives me "Your connection is not private".

That's the "don't use http, use https" message.
Because you are still using http ??
And when you use https, you get another very known message, that tells you that "the certificate (proposed by pfSense) has not been signed by a known trusted authority".

Anyway ....

Let continue checking.
Just to be sure :
Status > System Logs > Settings
and check

and from now on :

tail -f /var/log/nginx.log

For every page you visit on pfSense (GUI) you will see a log line.
That is, of course, if the request reaches the web server.

As we know now that the web server lsuitens on every interface, launch a

curl -k https://127.0.0.1

This will show the real pfSense login page. The actual html file that the browser receives.

If your LAN IP is 192.168.1.1, test also :

curl -k https://192.168.1.1

Your LAN settings, and LAN firewall rules please.

stephenw10

No easy way to set that without access to the gui though....

Gertjan

@ashima said in Lost WebGui Access after upgrade:

rc.restart_webgui: creating rrd update script

Is it to do with corrupt rrd.

The message "rc.restart_webgui: creating rrd update script" is normal.
It's not really creating the rrd update script file, it's just assuring that one exists.

Why do you think something is corrupt ?

edit : ok, already answered

ashima

@Gertjan I have no web access. I don't know how to enable Log errors from web server process using command line.

ashima

@stephenw10 Yes, I tried from different browsers and also from different clients.

stephenw10

Is 172.16.1.2 the client you're testing from?

Are the nginx logs you do see current? Do you see new entries each time you try to access the page?

Do you have any port forwards on the firewall for port 443 that might be redirecting requests?

ashima

@stephenw10

1. Yes, I am accessing firewall over vpn. 172.16.1.X is tunnel network.
   I get the same issue when I try to access from local device.

LAN is 192.168.37.X

2. Yes the nginx logs are current with correct time stamp. Yes I see a new entry every time I try to access the webgui.

As suggested by @Gertjan I tried using curl -k -f 127.0.0.1 and curl -k -f 192.168.37,1 I see an entry in nginx log instantly.

3. No port forwards. I access the network frome remote only via openvpn.

Is there any other thing that I need to check.

Gertjan

@ashima said in Lost WebGui Access after upgrade:

I don't know how to enable Log errors from web server process using command line.

Of course. Stupid me.

Type
viconfig + enter
/<syslog> + enter

Now you'll see the content of the block <syslog> ...... </syslog> which contains the syslog settings.
if there is a line (probably the last in the block) :

<nolognginx></nolognginx>

then place the cursor on that line, and type

dd

and then
ESC (the key on the keyboard, top left) and

:wq

Now you've existed viconfig.
Exit the command line, your back in the console menu. restart the webConfigurator = option 11.

But I presume the web server (webConfigurator) isn't doing anything wrong here, it's working just fine. No need to do this 'viconfig' manipulation.

To check - just to have a look - your firewall rules :
Same thing :

viconfig

and search for <filter> :

/<filter>

if you do not see this :

then type n for next :

n

Now you see your wan firewall rules lisrted in detail, one by one.
After wan, you have the lan firewall rules.

Btw : you can also see the rules here :

cat /tmp/rules.debug

My firewall LAN rules :
...
pass in quick on $LAN inet6 proto udp from fe80::/10 to ff00::/8 port 5352 >< 5356 ridentifier 1607406256 allow-opts keep state label "USER_RULE: Pass link local multicast traffic => 5353/5" label "id:1607406256"
pass in quick on $LAN inet from 192.168.1.0/24 to any ridentifier 1576252665 keep state label "USER_RULE: Years of investigation was needed to find this rule." label "id:1576252665"
pass in quick on $LAN inet6 from 2a01:cb19:907:a6dc::/64 to any ridentifier 1670835584 keep state label "USER_RULE: This one was found faster." label "id:1670835584"
....

The GUI identical part :

Your issue is : pfSense web gui traffic, http or https, coming from a LAN based device, doesn't arrive, or is blocked at - the LAN interface, so the web server can react on it.
It could be a simple blocking firewall rule.

You can't edit the /tmp/rules.debug file, as it is regenerated from the config.xml file.

GUI from OpenVPN works, or not ?

I've been trying to use tcpdump on the command line, with filters for port 80 and destination IP-pfSense and source IP-your-device-on-LAN to check if any web traffic actually reaches your LAN NIC, but I wasn't able to create such a command for myself.

stephenw10

Mmm, it seems like the firewall rules must be present since the client here sees the cert error. If it was blocked you would not see anything.

Gertjan

@stephenw10
Wow. That's true.
Broken browser ? Device with it's own firewall playing tricks ?

@ashima : take your phone, or whatever other device, and use that.

ashima

Thank you @Gertjan @stephenw10 for sharing so much of info. Good learning experience.

I have already tried from 3 different devices and different browsers.

Well I have sent a replacement firewall at the location and asked them to sent the old device to me.

I guess I am exhausting out of options. Planing to do a fresh install.

If any one has more suggestion I am ready to try once I get the firewall before I do a fresh install.

ashima

@Gertjan @stephenw10

Thank you for the support. I received the device at my office. So tried all possible commands, but the web gui failed to show up. I also did factory reset to default but that didn't help. Finally I have decided to reinstall the system.