Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NGNIX Errors?

    Scheduled Pinned Locked Moved General pfSense Questions
    28 Posts 3 Posters 3.1k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J Offline
      jsmiddleton4
      last edited by jsmiddleton4

      Well this is new.....

      nginx 2021/12/23 12:05:18 [error] 91181#100155: *526 open() "/usr/local/www/ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application" failed (2: No such file or directory), client:, server: , request: "GET /ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application HTTP/1.1"

      Log entry.

      Ignore? Some tweak I need to do?

      P 1 Reply Last reply Reply Quote 0
      • stephenw10S Offline
        stephenw10 Netgate Administrator
        last edited by

        Something tried to open that page on the pfSense gui which obviously doesn't exist.

        It should show you the requesting IP. If that's something external then you need to lock down the WAN to prevent it. The webgui should never be open to WAN without restrictions.

        Steve

        J 2 Replies Last reply Reply Quote 1
        • J Offline
          jsmiddleton4 @stephenw10
          last edited by jsmiddleton4

          @stephenw10

          Obviously I've been banging on stuff. I'm sure I've clicked on options that went nowhere. Like the VPN tab. I don't have a VPN setup. Family who works from home log into a VPN but we don't have one locally.

          I cleared the syslog and will see if it returns.

          1 Reply Last reply Reply Quote 0
          • stephenw10S Offline
            stephenw10 Netgate Administrator
            last edited by

            I don't have any errors in my log to reference but those entries should show the client IP that requested that page. If it's an IP on your LAN it's nothing to worry about IMO.

            Steve

            1 Reply Last reply Reply Quote 0
            • J Offline
              jsmiddleton4 @stephenw10
              last edited by jsmiddleton4

              @stephenw10

              Its back....

              2021/12/23 14:15:01 [error] 91181#100155: *728 "/usr/local/www/solr/index.php" is not found (2: No such file or directory), client: 128.14.209.170, server: , request: "GET /solr/ HTTP/1.1", host: "xxxxxxxxxxxx", referrer: "http://xxxxxxxx/solr/#/"

              Nothing on my network is 128.14.209.170. I can't check anything about the VPN. Folks are working.....

              The referer and host addresses however is the IP my ISP assigns to my modem.

              1 Reply Last reply Reply Quote 0
              • stephenw10S Offline
                stephenw10 Netgate Administrator
                last edited by

                That traffic should not be hitting the pfSense webgui then. You should make sure you haven't accidentally opened the WAN to any external source.

                J 2 Replies Last reply Reply Quote 1
                • J Offline
                  jsmiddleton4 @stephenw10
                  last edited by

                  @stephenw10 \

                  The VPN provided IP's are not 129.......

                  Where would I have opened up the WAN? I've not touched any firewall rules. I have gateways for the multiple NIC's otherwise a client connected on one NIC couldn't talk to a client connected on the other. Like my networked printer. Only people that could print to it were folks hung off the same NIC the printer was on.

                  And they're all bridged. Which I though would allow them all to talk to each other.

                  As far as opening the WAN, not touched it.

                  1 Reply Last reply Reply Quote 0
                  • J Offline
                    jsmiddleton4 @stephenw10
                    last edited by jsmiddleton4

                    @stephenw10

                    This is showing in Sockets. It is the only thing assigned to the same IP listed in the NGNIX error.

                    root ntpd 92198 26 udp4

                    I DO have some WAN ports open. Sorry but just dawned on me.

                    Static ports for Nintendo game consoles to be able to play in friends on-line game "rooms".

                    1 Reply Last reply Reply Quote 0
                    • stephenw10S Offline
                      stephenw10 Netgate Administrator
                      last edited by

                      You should only have gateways on WANs unless you have other internal routers with further subnets behind them.

                      Internal NICs should only be bridged if they're on the same subnet. They probably aren't.

                      If you have port forwards they should be to internal IPs so traffic hitting them could not hit the webgui.

                      I think we will need to see a diagram here and probably some screen shots of your rules.

                      Steve

                      J 1 Reply Last reply Reply Quote 1
                      • J Offline
                        jsmiddleton4 @stephenw10
                        last edited by jsmiddleton4

                        @stephenw10

                        NIC's are on same subnet. I followed the steps on Netgate for making a bridge.

                        The rules for the Nintendo game consoles are assigned to static IP's.

                        By default the WAN gateway was there I thought. I don't recall making one but may have.

                        Just looked, I didn't make those 2 gateways for the WAN. One is for IPV4, one for IPV6.

                        I mispoke earlier. I made the Firewall rules not gateways for the LAN, the NIC's.

                        The IP's I'm seeing are assigned to Zenlayer Inc.

                        The rules are all the same.

                        WAN Rule.pngLAN Rule.png OPT1 Rule.pngOPT2 Rule.png OPT3 Rule.pngIMG_20211223_0004.jpg

                        1 Reply Last reply Reply Quote 0
                        • stephenw10S Offline
                          stephenw10 Netgate Administrator
                          last edited by

                          Ok, you have an allow all rule on the WAN there. You should disable or remove that immediately.

                          Currently all the services on the firewall are open to any external source.

                          I don't see any firewall rules created by port forwards and they usually would be by default. So I don't what the NAT rules are you added.

                          If you just want all of those internal interfaces bridged in the same subnet you should assign the bridge itself and put the IP address and DHCP server etc on that.

                          Steve

                          J 1 Reply Last reply Reply Quote 1
                          • J Offline
                            jsmiddleton4 @stephenw10
                            last edited by jsmiddleton4

                            @stephenw10
                            That’s how I have the bridge setup.

                            If I don’t have those NAT rules devices hung on different NIC’s can’t talk to devices on the other NIC’s.

                            I’m removing the WAN now.

                            Firewall rules created by port forwards.

                            As best as I can remember none were. Which is why I created those rules.

                            I’m on my iPAD connected wirelessly to the ASUS AX86U. If I try to access the network printer hung off the 2.5gb switch in the back office WITHOUT those rules, I can’t access it. I’m blocked from it.

                            If there’s a better way to do so I’m at the ready to change any rules. I obviously don’t know change to what though.

                            1 Reply Last reply Reply Quote 0
                            • stephenw10S Offline
                              stephenw10 Netgate Administrator
                              last edited by

                              We'll need to see screenshots of those rules then. If it's in the same subnet you should not need any NAT rules.

                              Can we see the Interfaces > Assignments and Interfaces > Bridges screen.

                              Steve

                              J 1 Reply Last reply Reply Quote 0
                              • J Offline
                                jsmiddleton4 @stephenw10
                                last edited by jsmiddleton4

                                @stephenw10 Brdige2.png bridge.png

                                Bridge is configured for IPV4 and 6, NIC's are not.

                                The rules, glad to post screen shots but there's nothing beyond what I posted. That's why the "*" in most of the fields, its just "any".

                                "If it's in the same subnet you should not need any NAT rules"

                                The bridge has a static IPV4 address. Blanked it for the screen shot.

                                I've tested and retested. No rules, can't connect to devices with connect to different NIC's.bridge3.png

                                stephenw10S 1 Reply Last reply Reply Quote 0
                                • stephenw10S Offline
                                  stephenw10 Netgate Administrator @jsmiddleton4
                                  last edited by

                                  OK, the interface assignments and bridge config look good.

                                  Since you have pass-all rules on the bridge and the members all traffic should pass between hosts on any of those.

                                  Do you see anything blocked in the firewall log?

                                  I meant the NAT rules you said you had to add.

                                  Steve

                                  J 1 Reply Last reply Reply Quote 1
                                  • J Offline
                                    jsmiddleton4 @stephenw10
                                    last edited by jsmiddleton4

                                    @stephenw10

                                    I apologize if I'm getting terms crossed.

                                    The only direct NAT rules I've made are the outbound rules for the Nintendo devices. Followed the Netgate document step by step for the static port, changed to Hybrid, etc.

                                    I did not initially make those Firewall Rules for each NIC. I expected as you've said they're all one big happy "bridge", should talk to each other.

                                    Didn't and won't.

                                    I'm not saying that's the correct way to set it up. Just that's what I had to do.

                                    My Port Forwarding information in the NAT tab is empty by the way.

                                    Without those Firewall Rules the Firewall Log fills with blocked entries to the various devices.

                                    Here's those outbound rules.

                                    tbound.png

                                    1 Reply Last reply Reply Quote 0
                                    • stephenw10S Offline
                                      stephenw10 Netgate Administrator
                                      last edited by

                                      Ok, did you set the bridge sysctls to moved filtering the bridge interface?
                                      https://docs.netgate.com/pfsense/en/latest/bridges/firewall.html#bridging-and-firewalling

                                      Did you reboot after doing that?

                                      With those set you should only need rules on the bridge interface, LAN here. Otherwise, by default, the bridge filters on the member interfaces so you would need pass rules om all of them.

                                      Steve

                                      J 1 Reply Last reply Reply Quote 1
                                      • J Offline
                                        jsmiddleton4 @stephenw10
                                        last edited by

                                        @stephenw10

                                        I don't recall doing so. I'll hit that document now.

                                        1 Reply Last reply Reply Quote 0
                                        • stephenw10S Offline
                                          stephenw10 Netgate Administrator
                                          last edited by

                                          The source in those outbound NAT rules should be internal private IPs. There's no real need to obscure those.

                                          J 1 Reply Last reply Reply Quote 1
                                          • J Offline
                                            jsmiddleton4 @stephenw10
                                            last edited by jsmiddleton4

                                            @stephenw10

                                            I did not do anything with System Tunables when making the bridge. Can do so now, booting might have to wait. Wife watching Thursday Night Football via streaming on Fubo.TV.......

                                            These are the current entries:

                                            net.link.bridge.pfil_onlyip Only pass IP packets when pfil is enabled 0
                                            net.link.bridge.pfil_member Packet filter on the member interface 1
                                            net.link.bridge.pfil_bridge Packet filter on the bridge interface 0

                                            "At least one of these must be set to 1"

                                            One of them is set to 1 already????

                                            All of them to "1"?

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.