2.2.5 webGUI Unresponsive
-
Hi
I just upgraded from 2.2.4 to 2.2.5 on a APU NanoBSD 4G Amd64 box by NetGate. After the upgrade I have noticed the WebGuI become unresponsive after maybe the first or second login and then is unreachable. If I reboot the Box its reachable again but the problems recurs after maybe the first login. I would love to see what log files I can use to correct the problem but none of the log files seem to have any information. Trying to reset the webconfigurator or the php module from the SSH console does not correct the problem.
I also tried to downgrade back to 2.2.4 from the console but that seems to be failing with the error which states something to effect of not enough space. I tried the 4G and the 2G image and both fail.
Would love some help please.
SAM
-
… failing with the error which states something to effect of not enough space ...
I'd start there. How much free space is there?
-
I never do an in-place upgrade. Rather, I remove all the packages, do a complete config backup and then flatten the machine, installing the new version and then restoring the backup to the new system. You don't mention packages explicity, but if you have any installed the log files can sometimes fill up disk space quite rapidly, depending on traffic.
-
Thanks guys. I basically ended up taking out the CF card and reflashing it with a new image. Involved me heading down to the site but we needed to get things going since we weren't sure the box was secure remotely. Back up and running so not sure where in the upgrade things broke. Made a cope if the corrupted image so will try to replicate in the lab. I'm guessing it might have something to do with VPN and the DNS rebind stuff as I wasn't sure if the box will think a VPN client connecting to the web configuratior as a DNS rebind attack.
-
I never do an in-place upgrade. Rather, I remove all the packages, do a complete config backup and then flatten the machine, installing the new version and then restoring the backup to the new system.
That's a waste of time and unnecessary as long as it's a stock system.
@Jon:
… failing with the error which states something to effect of not enough space ...
I'd start there. How much free space is there?
Exactly, sounds like there wasn't enough free space, which would then explain why the web interface wouldn't load reliably and probably the DNS rebinding message too.
-
Finally able to reproduce the problem.
Okay in the labs testing did a fresh install on a text box. Here is what appears to be happening. A fresh install does fine until you use the IPSEC or OPenVPN tunnel to tunnel into the Box. Say that when you connect to the Box and get an IP address of 192.168.10.2 and Boxes LAN Is at 192.168.20.1. Also assume that Firewall and Outbound NAT rules allow VPN clients in the 192.168.10.0/24 address range to access the LAN IP.
Then if you use a VPN client to access the Webconfigurator by providing the PfSense Boxes LAN ID then the webconfigurator hangs and you get the page not responding error.
Been able to reproduce this on two fresh installs.
CMB let me know if you are able to reproduce the issue.
Packages INStalled were on the boxes:
– Services Watch Dog
-- OPenVPN client Export Utility
-- Cron
-- System Patches.SAM
-
Again I think this might be related to this https://doc.pfsense.org/index.php/DNS_Rebinding_Protections
I am having some trouble troubleshooting the problem since I am actually accessing the webconfigurator by IP address and not hostname which I think should NOT trigger a DNS rebind warning according to the notes in the page above and should not drop the packets. Also my firewall is not triggering any DNS rebind attack warning though I am not sure if this logging needs to be explicitly activated.
Also dialing DNS rebind protection does not seem to correct the issue so I am not sure if this is really related to DNS rebind in the first place.
SAM
-
Say that when you connect to the Box and get an IP address of 192.168.10.2 and Boxes LAN Is at 192.168.20.1. Also assume that Firewall and Outbound NAT rules allow VPN clients in the 192.168.10.0/24 address range to access the LAN IP.
Huh?
If I connect to a pfSense box whose "LAN is 192.168.20.1" how can I get an IP address (on LAN) of 192.168.10.2?
What is the subnet of the LAN interface?I understand you've got a problem that replicates for you in your environment, but your going to have to give us a lot more info to be able to duplicate it.
Perhaps you could give us a small diagram of your setup with a screen shot of the LAN Subnet and DHCP ranges.
As a side note there's nothing wrong with accessing the WebGUI via it's IP address either locally or via OpenVPN, I do that on a daily basis.
No rebind errors or issues at all.
-
If the pfsense box has a LAN IP address of 192.168.10.1 and has IPSec server running or a OpenVPN server running that does NOT mean the clients that connect to it via VPN should receive an ip address in the 192.168.10/24 space.
In our case we give VPN clients an IP address in the 192.168.20.0/24 address space and have NAT rules that just divert traffic and allow communication between the two address spaces. That is why I said "provided you have appropriate NAT rules".
Separating out our address spaces allows us to prioritize traffic and apply filtering rules slightly easier.