Webgui does not start after reboot



  • Hi

    I configured my home pfsense to reboot at 4:00 am everyday using cron. However after reboot, the webgui does not restart, I need to restart it manually by going to shell prompt and select 11 to restart it. My version now is 2.4.4_1 but this issue started with version 2.4.4 and I thought by upgrading to 2.4.4_1 it might solve the problem but it persisted. The last thing I remember before this happened was I enable snort on LAN interface with version 2.4.4 but I am not sure whether it is related. I am not sure which log files I should upload to troubleshoot this, please let me know.

    Thanks.


  • Rebel Alliance

    Why should you reboot your pfSense every day?!

    -Rico



  • @rico said in Webgui does not start after reboot:

    Why should you reboot your pfSense every day?!

    -Rico

    The answer to this is probably related to the question that @zorrox asked.

    I would start with :
    Look at the system log. nginx doesn't die like that.
    Check memory usage.
    Stop visiting dangerous sites and remove snort from the equitation.



  • Hi, thank you both for replying my question.
    When i check the error logs, it says the port 443 is already used. How do i know which application is already using that port? My wan interface port 443 is used by openvpn but the webgui is supposed to run on lan interface port 443. Is this possible?


  • Rebel Alliance

    Shell:

    sockstat -4 -l
    

    Webgui: Diagnostics -> Sockets

    -Rico



  • @zorrox said in Webgui does not start after reboot:

    Hi, thank you both for replying my question.
    When i check the error logs, it says the port 443 is already used. How do i know which application is already using that port? My wan interface port 443 is used by openvpn but the webgui is supposed to run on lan interface port 443. Is this possible?

    As you might have already discovered right now, the GUI (a nginx instance) bnds to all aviable interfaces.

    [2.4.4-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: sockstat -4 -l
    USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
    ....
    root     nginx      89009 6  tcp4   *:443                 *:*
    root     nginx      89009 8  tcp4   *:80                  *:*
    root     nginx      88805 6  tcp4   *:443                 *:*
    root     nginx      88805 8  tcp4   *:80                  *:*
    root     nginx      88711 6  tcp4   *:443                 *:*
    root     nginx      88711 8  tcp4   *:80                  *:*
    

    Example "*.443" == "All interfaces, port 443" This includes WAN !
    If you want to use OpenVPN on a WAN port 443 - TCP ! - (you should try UDP only for OpenVPN) you have to move the GUI to another port, like 444, and access the GUI like this : https://your.pfsense.tld:444

    What probably happens to you setup : when the system starts, several services are launched at start-up. Two of them want to bind to the same interface, same port and same protocol. That is a big no-no-go-wrong. The first process that finishes its start-up grabs the port, the other one bails out.

    No more need to restart your pfSense. Keep OpenVPN on 443/TCP/WAN, and move the GUI to another port => System > Advanced > Admin Access



  • Thank you for your explanation.
    Yes, I also think that is the cause of this issue and I have changed it to 444. When you said nignx binds to all interfaces, does that mean it will fail to start even if only one of the interfaces' port 443 was taken?

    The reason I run openvpn on TCP 443 because most firewalls out there allow TCP outbound connection to this port so it helps when I want to VPN to my pfsense from outside while UDP port 443 is not usually permitted.



  • @zorrox said in Webgui does not start after reboot:

    does that mean it will fail to start even if only one of the interfaces' port 443 was taken?

    Yes.
    If a process like OpenVPN binds to an interface, using a port 443 and protocol TCP then subsequent binds are not possible anymore for that interface/port/protocol.
    It's not possible that two or more process receives the same incoming information, and that one 'recognizes' and answers and the others stay silent. It's like calling some one : you dial a phone number and expect to have one person answering, not multiple.

    True : why is the webgui binding to all interfaces - being able to instruct it to have it bound to LAN-only seems more logic (to me).


  • Rebel Alliance

    Check this one out: https://www.netgate.com/docs/pfsense/vpn/openvpn/sharing-a-port-between-openvpn-and-a-web-server.html
    Never tried, but maybe it works for the pfSense WebGUI too.

    -Rico



  • @rico said in Webgui does not start after reboot:

    Check this one out: https://www.netgate.com/docs/pfsense/vpn/openvpn/sharing-a-port-between-openvpn-and-a-web-server.html
    Never tried, but maybe it works for the pfSense WebGUI too.

    -Rico

    Great ....
    I knew I have read something about this ( your https://www.netgate.com/docs/pfsense/vpn/openvpn/sharing-a-port-between-openvpn-and-a-web-server.html ).
    never tried it neither.

    Can the "internal IP address of the web server" be set to the WAN IP ? Which is useless in 99,9 % of all cases anyway. Maybe 127.0.0.1. will do ...

    @zorrox will inform us soon.



  • I have tried the suggestion by having the custom option "port-share 192.168.1.10 443". 192.168.1.10 is the LAN IP and changed back my webgui to default port. After rebooting pfsense, now I cannot access the webgui. Restarting it with command line option 11 also does not help. Need to figure out now how to fix this. Any suggestion is appreciated.

    Thanks.



  • @zorrox said in Webgui does not start after reboot:

    and changed back my webgui to default port

    That is port 80 so no more conflicts ... Be careful : use another browser to test, some cache ancient URL's



  • After a few hours, my pfsense is magically accessible on port 444 again. I think it did not change the port to default when I tried it the first time because it was not responding when I saved the change. So I have tried saving it with the default port 443 again and now it is working, I can access the openvpn and webgui on port 443 from my WAN interface. However I think it is not safe to expose the webgui to Internet so I revert to 444. I cannot restrict 443 to certain IP addresses as I want OpenVPN accessible from anywhere.