cant login webgui

yon 0

i have config in loader.conf

kern.cam.boot_delay=10000
kern.ipc.nmbclusters="1000000"
kern.ipc.nmbjumbop="524288"
kern.ipc.nmbjumbo9="524288"
if_em_load="YES"
h_ertt_load="YES"
ahci_load="YES"
cc_cdg_load="YES"
aesni_load="YES"
hw.igb.enable_msix="1"
hw.igb.rx_process_limit="-1"
hw.igb.tx_process_limit="-1"
hw.igb.rxd="2048"
hw.igb.txd="2048"
net.link.ifqmaxlen="4096"
hw.igb.max_interrupt_rate="16000"
net.inet.tcp.soreceive_stream="1"
net.pf.source_nodes_hashsize="1048576"
net.isr.defaultqlimit="2048"
net.inet.tcp.syncache.hashsize="1024"
net.inet.tcp.syncache.bucketlimit="100"
autoboot_delay="3"
hw.usb.no_pf="1"
net.pf.request_maxcount="500000"

valentinius

thanks to eveyone for a piece of advice, it seems i have solved the problem!!

yon 0

@valentinius whats mean?

valentinius

@yon-0
i mean that thanks to all your recommendations i have solved the problem with login webgui)

valentinius

@yon-0 SOLVED, rebooted all is well again

yon 0

@valentinius How to solve it?

yon 0

i find the bugs.

when i import a lot of firewall_aliases networks like 200 ipv4 networks and setup route or firewall rule, then PF webgui nginx 504 Gateway Time-out.

how many network line for firewall_aliases?

yon 0

Aug 24 05:45:40 nginx 2020/08/24 05:45:40 [error] 13539#100230: *14202 upstream timed out (60: Operation timed out) while reading response header from upstream, client: 192.168.101.30, server: , request: "GET /index.php HTTP/2.0", upstream: "fastcgi://unix:/var/run/php-fpm.socket", host: "192.168.101.254:2253", referrer: "https://192.168.101.254:2253/system_routes.php"

yon 0

it seem need fix nginx

https://stackoverflow.com/questions/18740635/nginx-upstream-timed-out-110-connection-timed-out-while-reading-response-hea

yon 0

2020/08/24 05:53:17 [error] 13539#100230: *14202 upstream timed out (60: Operation timed out) while reading response header from upstream, client: 192.168.101.30, server: , request: "GET /index.php HTTP/2.0", upstream: "fastcgi://unix:/var/run/php-fpm.socket", host: "192.168.101.254:2253", referrer: "https://192.168.101.254:2253/system_routes.php"
2020/08/24 05:56:48 [error] 13539#100230: *14202 upstream timed out (60: Operation timed out) while reading response header from upstream, client: 192.168.101.30, server: , request: "GET /index.php HTTP/2.0", upstream: "fastcgi://unix:/var/run/php-fpm.socket", host: "192.168.101.254:2253", referrer: "https://192.168.101.254:2253/system_routes.php"
2020/08/24 05:57:49 [error] 13539#100230: *14202 upstream timed out (60: Operation timed out) while reading response header from upstream, client: 192.168.101.30, server: , request: "GET /index.php HTTP/2.0", upstream: "fastcgi://unix:/var/run/php-fpm.socket", host: "192.168.101.254:2253", referrer: "https://192.168.101.254:2253/services_dhcpv6.php"
2020/08/24 06:16:55 [error] 7087#100230: kevent() reported about an closed connection (65: No route to host) while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org, peer: 31.13.79.17:80, certificate: "/var/etc/cert.crt"
2020/08/24 06:16:55 [error] 7087#100230: OCSP responder prematurely closed connection while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org, peer: 31.13.79.17:80, certificate: "/var/etc/cert.crt"
2020/08/24 06:16:55 [error] 7043#100233: kevent() reported about an closed connection (60: Operation timed out) while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org, peer: 69.171.233.33:80, certificate: "/var/etc/cert.crt"
2020/08/24 06:16:55 [error] 7043#100233: OCSP responder prematurely closed connection while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org, peer: 69.171.233.33:80, certificate: "/var/etc/cert.crt"
2020/08/24 06:21:12 [error] 7087#100230: *6 upstream timed out (60: Operation timed out) while reading response header from upstream, client: 192.168.101.30, server: , request: "GET /index.php HTTP/2.0", upstream: "fastcgi://unix:/var/run/php-fpm.socket", host: "192.168.101.254:2253", referrer: "https://192.168.101.254:2253/diag_backup.php"
2020/08/24 06:24:35 [warn] 13335#100201: "ssl_stapling" ignored, host not found in OCSP responder "ocsp.int-x3.letsencrypt.org" in the certificate "/var/etc/cert.crt"

yon 0

Find the cause of the problem, when many static routes are set, for example, more than 1000 static routes. then if you log in to the home page of the management website, you cannot open it. /index.php

data from https://bgp.space/chinanet.html

Gertjan

@yon-0 said in cant login webgui:

Find the cause of the problem, when many static routes are set, for example, more than 1000 static routes. then if you log in to the home page of the management website, you cannot open it.

data from https://bgp.space/chinanet.html

Can I load this list into pfBlockerNG ????

( Ok, I leave ... )

yon 0

@Gertjan yes, you try do it.

jimp

If you need anywhere near 1000 static routes your design is seriously flawed.

I don't know that anyone has tested with more than a couple dozen at most.

Beyond that you really should be using some kind of dynamic routing protocol, not hardcoded static routes.

yon 0

@jimp

This is the demand of many people. So build that IP database website.
Some routes need to go out through the WAN local ISP port.
BGP is used to connect to BGP servers. There are no BGP servers that can be connected to static routes.
FRR can't use aliases in Static Route Target.

For example, many people use other routing systems use Static Route for this purpose
https://post.smzdm.com/p/ag870e9w/

yon 0

Test more than 2000 static routes, only affect the entry of the homepage. Static routing is working.

In addition, I imported the aggregated route and an error occurred

Firewall-Aliases-Bulk import


The following input errors were detected:

203.57.12.0/23 is not an IP address. Please correct the error to continue
203.57.101.0/24 is not an IP address. Please correct the error to continue
203.57.109.0/24 is not an IP address. Please correct the error to continue
203.57.123.0/24 is not an IP address. Please correct the error to continue
203.57.157.0/24 is not an IP address. Please correct the error to continue

Gertjan

Not entirely wrong.
203.57.12.0/23 is more a network.

What happens when you correct it ?

If it's still bailing out, it's probably some PHP ( ?) error that's not expressed correctly. The real issue could be a (example) memory allocation error.

JeGr

Then your import is wrong. Seems you're trying to import network aliases as host aliases. That parsing with large lists alone would likely time out the PHP-FPM worker as the max execution time is reached. Would be my guess it's PHP rather than NGINX (as the latter makes no sense).

yon 0

@Gertjan said in cant login webgui:

Not entirely wrong.
203.57.12.0/23 is more a network.

What happens when you correct it ?

If it's still bailing out, it's probably some PHP ( ?) error that's not expressed correctly. The real issue could be a (example) memory allocation error.

My server has a lot of free memory, a total of 16G memory. all data is network, other networks import is normal.
Many of us set up static routing for the IP segment of our country, and go out from the local ISP network.
Because we take into account the network speed of the local ISP and visit some websites must use the IP network of the local ISP

yon 0

@JeGr said in cant login webgui:

Then your import is wrong. Seems you're trying to import network aliases as host aliases. That parsing with large lists alone would likely time out the PHP-FPM worker as the max execution time is reached. Would be my guess it's PHP rather than NGINX (as the latter makes no sense).

i am import a lot of ip CIDR list to networks.

this has good tool, I use tools to aggregate many ip network segments. This can reduce the number of IP network segments

https://tehnoblog.org/ip-tools/ip-address-aggregator/

idc3.txt