cant login webgui



  • now i can't login pf 2.4.5-p1 webgui, i have try restart system but it is still down.

    alt text

    alt text

    alt text



  • The IPv6 : /46 ? That a biiiiigggg one.

    The syslogd message : operation not supported on /var/log/ppp.log : file system hosed ?

    And what about taking the image in front of the screen instead of a 45 ยฐ angle ?



  • i have running frr for bgp , the 46 should is frr route.
    no, I did not use an extra special file system.



  • It became special ?

    If the system is ok, consider the hardware less ok.

    Although I know nothing about LAGG - neither "frr", how they can make a boot fail.
    When you remove this "frr" thing, and LAGG stuff, everything is ok ?


  • Rebel Alliance Developer Netgate

    The messages from FRR are likely unrelated.

    If it never gets past "configuring firewall" then something is getting stuck there, in making or loading the ruleset. Press ^T (ctrl-T) to see what it's doing on the console. If you can break out of there (^C) try checking in clog /var/log/system.log for more clues.

    What other packages are on there besides FRR?



  • i know by experience that id hardware is nor ok does not matter what quality hardware is, both must be perfect



  • system.zip

    It should not be a hardware problem of the network card or switch, because they are all newly bought hardware, and the network card is intel



  • i can use ssh for normal login, only webgui cant login. show "

    504 Gateway Time-out
    nginx



  • How to check the list of installation packages?



  • i have install the snort


  • Rebel Alliance Developer Netgate

    @yon-0 said in cant login webgui:

    system.zip
    It should not be a hardware problem of the network card or switch, because they are all newly bought hardware, and the network card is intel

    That doesn't mean they are good. You are more likely to have faulty hardware new out of the box than most other times. Also the cards may not be legitimate -- there are tons of fake Intel cards out there, some of which misbehave in various ways which render networking (or the entire OS) unstable.



  • i only can't login webgui, but i can visit internet in lan. so NIC should work.



  • i have config in loader.conf

    kern.cam.boot_delay=10000
    kern.ipc.nmbclusters="1000000"
    kern.ipc.nmbjumbop="524288"
    kern.ipc.nmbjumbo9="524288"
    if_em_load="YES"
    h_ertt_load="YES"
    ahci_load="YES"
    cc_cdg_load="YES"
    aesni_load="YES"
    hw.igb.enable_msix="1"
    hw.igb.rx_process_limit="-1"
    hw.igb.tx_process_limit="-1"
    hw.igb.rxd="2048"
    hw.igb.txd="2048"
    net.link.ifqmaxlen="4096"
    hw.igb.max_interrupt_rate="16000"
    net.inet.tcp.soreceive_stream="1"
    net.pf.source_nodes_hashsize="1048576"
    net.isr.defaultqlimit="2048"
    net.inet.tcp.syncache.hashsize="1024"
    net.inet.tcp.syncache.bucketlimit="100"
    autoboot_delay="3"
    hw.usb.no_pf="1"
    net.pf.request_maxcount="500000"
    


  • thanks to eveyone for a piece of advice, it seems i have solved the problem!!



  • @valentinius whats mean?



  • @yon-0
    i mean that thanks to all your recommendations i have solved the problem with login webgui)



  • @yon-0 SOLVED, rebooted all is well again



  • @valentinius How to solve it?



  • i find the bugs.

    when i import a lot of firewall_aliases networks like 200 ipv4 networks and setup route or firewall rule, then PF webgui nginx 504 Gateway Time-out.

    how many network line for firewall_aliases?



  • Aug 24 05:45:40 nginx 2020/08/24 05:45:40 [error] 13539#100230: *14202 upstream timed out (60: Operation timed out) while reading response header from upstream, client: 192.168.101.30, server: , request: "GET /index.php HTTP/2.0", upstream: "fastcgi://unix:/var/run/php-fpm.socket", host: "192.168.101.254:2253", referrer: "https://192.168.101.254:2253/system_routes.php"





  • 2020/08/24 05:53:17 [error] 13539#100230: *14202 upstream timed out (60: Operation timed out) while reading response header from upstream, client: 192.168.101.30, server: , request: "GET /index.php HTTP/2.0", upstream: "fastcgi://unix:/var/run/php-fpm.socket", host: "192.168.101.254:2253", referrer: "https://192.168.101.254:2253/system_routes.php"
    2020/08/24 05:56:48 [error] 13539#100230: *14202 upstream timed out (60: Operation timed out) while reading response header from upstream, client: 192.168.101.30, server: , request: "GET /index.php HTTP/2.0", upstream: "fastcgi://unix:/var/run/php-fpm.socket", host: "192.168.101.254:2253", referrer: "https://192.168.101.254:2253/system_routes.php"
    2020/08/24 05:57:49 [error] 13539#100230: *14202 upstream timed out (60: Operation timed out) while reading response header from upstream, client: 192.168.101.30, server: , request: "GET /index.php HTTP/2.0", upstream: "fastcgi://unix:/var/run/php-fpm.socket", host: "192.168.101.254:2253", referrer: "https://192.168.101.254:2253/services_dhcpv6.php"
    2020/08/24 06:16:55 [error] 7087#100230: kevent() reported about an closed connection (65: No route to host) while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org, peer: 31.13.79.17:80, certificate: "/var/etc/cert.crt"
    2020/08/24 06:16:55 [error] 7087#100230: OCSP responder prematurely closed connection while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org, peer: 31.13.79.17:80, certificate: "/var/etc/cert.crt"
    2020/08/24 06:16:55 [error] 7043#100233: kevent() reported about an closed connection (60: Operation timed out) while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org, peer: 69.171.233.33:80, certificate: "/var/etc/cert.crt"
    2020/08/24 06:16:55 [error] 7043#100233: OCSP responder prematurely closed connection while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org, peer: 69.171.233.33:80, certificate: "/var/etc/cert.crt"
    2020/08/24 06:21:12 [error] 7087#100230: *6 upstream timed out (60: Operation timed out) while reading response header from upstream, client: 192.168.101.30, server: , request: "GET /index.php HTTP/2.0", upstream: "fastcgi://unix:/var/run/php-fpm.socket", host: "192.168.101.254:2253", referrer: "https://192.168.101.254:2253/diag_backup.php"
    2020/08/24 06:24:35 [warn] 13335#100201: "ssl_stapling" ignored, host not found in OCSP responder "ocsp.int-x3.letsencrypt.org" in the certificate "/var/etc/cert.crt"
    
    


  • Find the cause of the problem, when many static routes are set, for example, more than 1000 static routes. then if you log in to the home page of the management website, you cannot open it. /index.php

    data from https://bgp.space/chinanet.html



  • @yon-0 said in cant login webgui:

    Find the cause of the problem, when many static routes are set, for example, more than 1000 static routes. then if you log in to the home page of the management website, you cannot open it.

    data from https://bgp.space/chinanet.html

    Can I load this list into pfBlockerNG ????

    ( Ok, I leave ... ๐Ÿ˜Š )



  • @Gertjan yes, you try do it.


  • Rebel Alliance Developer Netgate

    If you need anywhere near 1000 static routes your design is seriously flawed.

    I don't know that anyone has tested with more than a couple dozen at most.

    Beyond that you really should be using some kind of dynamic routing protocol, not hardcoded static routes.



  • @jimp

    This is the demand of many people. So build that IP database website.
    Some routes need to go out through the WAN local ISP port.
    BGP is used to connect to BGP servers. There are no BGP servers that can be connected to static routes.
    FRR can't use aliases in Static Route Target.

    For example, many people use other routing systems use Static Route for this purpose
    https://post.smzdm.com/p/ag870e9w/



  • Test more than 2000 static routes, only affect the entry of the homepage. Static routing is working.

    In addition, I imported the aggregated route and an error occurred

    Firewall-Aliases-Bulk import
    
    
    The following input errors were detected:
    
    203.57.1โ€‹โ€‹2.0/23 is not an IP address. Please correct the error to continue
    203.57.1โ€‹โ€‹01.0/24 is not an IP address. Please correct the error to continue
    203.57.1โ€‹โ€‹09.0/24 is not an IP address. Please correct the error to continue
    203.57.1โ€‹โ€‹23.0/24 is not an IP address. Please correct the error to continue
    203.57.1โ€‹โ€‹57.0/24 is not an IP address. Please correct the error to continue
    


  • Not entirely wrong.
    203.57.1โ€‹โ€‹2.0/23 is more a network.

    What happens when you correct it ?

    If it's still bailing out, it's probably some PHP ( ?) error that's not expressed correctly. The real issue could be a (example) memory allocation error.


  • LAYER 8 Moderator

    Then your import is wrong. Seems you're trying to import network aliases as host aliases. That parsing with large lists alone would likely time out the PHP-FPM worker as the max execution time is reached. Would be my guess it's PHP rather than NGINX (as the latter makes no sense).



  • @Gertjan said in cant login webgui:

    Not entirely wrong.
    203.57.1โ€‹โ€‹2.0/23 is more a network.

    What happens when you correct it ?

    If it's still bailing out, it's probably some PHP ( ?) error that's not expressed correctly. The real issue could be a (example) memory allocation error.

    My server has a lot of free memory, a total of 16G memory. all data is network, other networks import is normal.
    Many of us set up static routing for the IP segment of our country, and go out from the local ISP network.
    Because we take into account the network speed of the local ISP and visit some websites must use the IP network of the local ISP



  • @JeGr said in cant login webgui:

    Then your import is wrong. Seems you're trying to import network aliases as host aliases. That parsing with large lists alone would likely time out the PHP-FPM worker as the max execution time is reached. Would be my guess it's PHP rather than NGINX (as the latter makes no sense).

    i am import a lot of ip CIDR list to networks.

    this has good tool, I use tools to aggregate many ip network segments. This can reduce the number of IP network segments

    https://tehnoblog.org/ip-tools/ip-address-aggregator/

    idc3.txt


Log in to reply