@Co6aka I'm in the same boat as you. Upgraded from 2.4.4 to 2.4.5. Wound up with "Cannot allocate memory" errors & only the firewall could access the internet. Uninstalling/reinstalling pfBlocker_NG gets the LAN back online (I know it isn't a pfBlocker issue).

My table entries were at 20 million before upgrading - because I have a lot of lists and some of them are massive (each list does have a purpose). I think I worked up to 60M entries before setting this aside for the night.

I haven't tried breaking apart my lists into smaller aliases. After reading the relevant posts here and on Reddit, it doesn't seem likely to help. It'd still be the same number of IPs that need allocation.

(wild guess coming) Unless the issue is that the structures holding my massive aliases are buckling under the load. But, heck. I don't know.

I'm going to sleep on it. Maybe tomorrow I'll puzzle out where I should be looking for clues. Otherwise, I'll have to check into rolling back - wait for bigger brains to set our world right (yet) again.

Edit: box has 4GB RAM

Q: How do I calculate Firewall Maximum Table Entries (assume 100MB in aliastables dir)

Edit.2: I haven't been able to find a fix. Going to roll back.
and
I'm fairly impressed w/ the difficulty of locating a download link for
pfSense-CE-2.4.4-RELEASE-p3-amd64.iso.gz
Not giving up!

Edit3: Found a copy of 2.4.4 on Linuxtracker.org (not affiliated).
Installed a fresh copy. Restored from the backup I made using 2.4.5 (because, you know) and that worked just fine. Everything came right up; no issues at all.

I'm all good again. I'm also scared of upgrading any of my boxes to 2.4.5 but what can you do.
I still appreciate all the work that goes into this.

@RonpfS Found it. Thank you. Still haven't found the specific alert I'm looking for, but I at least know where to dig. Note that I haven't been looking all this time. I got side tracked doing something else. Thanks again for your help.

@revengineer
The is a log snippet above that to show the processing of that feed and the restart of Unbound. Take a look at those two sections of the pfblockerng.log.

FWIW: did a fresh install. Still core faults if I reset logs.

@BBcan177 Excellent! Working as expected now. Maybe someday there can be a button or comment explaining how to re-download from MaxMind because I didnt even know the command did that when I was looking at it. Thanks! Keep up the good work!

@Core7
I don't think bridging will work well with the pkg. I also have no other first hand experience doing that sorry.

No its for all versions

@GregBinSD said in Shallalist and UT1 lists not working on 2.4.5-RELEASE/pfBlockerNG-devel 2.2.5_29:

Can you tell me how long that might be?

The pfSense devs need to review and approve. Hopefully next week.

@Gertjan @t41k2m3

Thank you for the details. I’ll make the jump to the -devel package first then.

Are there any specific posts/blogs you would recommend to get up to speed on any critical changes or potential gotchas that might extend my maintenance window?

My router is usually hovering around 3% CPU and 19% memory utilization with pfblocker, squid, squidguard, snort, and a few other pkgs running. these stats are with no inbound OpenVPN client tunnels active or outbound IPsec VPN to my Oracle Cloud IaaS tenancy up. Still, plenty of resource capacity.

I still get nothing, In the post above i always get the same error , "Missing DNSBL stats and/or Unbound DNSBL conf file - Rebuilding"

V/r

Tony

Really nobody did it?

Hello!

Are you using ram disks in System/Advanced/Miscellaneous?

This sounds oddly similar to these :

https://forum.netgate.com/topic/151591/sort-4-not-downloading-vrt-rules/
https://forum.netgate.com/topic/151634/php-errors/

John

Uh...Base64 is not a number base. It is a method for encoding binary values as text strings. See Wikipedia here: https://en.wikipedia.org/wiki/Base64.

you can add list from DNSBL / DNSBL groups and press ADD, insert that link save and enable it

for the regex stuff i found this on redmine
https://www.reddit.com/r/pfBlockerNG/comments/d01qod/can_pfblocker_block_urls_by_regex/ez56ta3/
This will be available in the next major release as it will utilize the Unbound python integration.

it's 6 months old idk how are things going on about it

update here https://www.reddit.com/r/PFSENSE/comments/fj1ks8/migrating_from_pihole_to_pfblockerng/

Will be in the next pfBlockerNG-devel release when pfSense 2.4.5 is released.

@techman2005 I just looked up scan.nextcloud.com and it resolved to 95.217.53.149, so you may need to actually edit the file /var/log/pfblockerng/ip_blocklog and remove the IP. I don't understand why it didn't adjust the data when you added the domain, saved, and reload. You could scroll to the right of that log file to see the list it belong to and try adding the IP to the custom list I think...maybe @BBcan177 can step in.

Spent more time reviewing the changes I made. If I am not mistaken the pfB_Top_v4 alias is made by enabling GeoIP blocking (any of the lists there). In my case I enabled Top Spammers list and with action 'deny outbound'.

After disabling 'GeoIP Top Spammers' the ubuntu updates began working.

Hello All.

I would like to ask about the following. I have some IPs bundled in an ALIAS and these IPs should bypass pfBlockerNG. When I unselect these IPs by their dedicated VPN-Interface in "Select Outbound Firewall Interface", these IPs are still get filtered by pfBlocker. Is this the reason for for this because of checking the option for floating rules (Open VPN) in DNSBL firewall rules?

Nevertheless, I found wesfox's link for bypassing single IPs. Would this be the right way to bypass pfBlockerNG for some LAN IPs?

Thx for your support in advance.

@A-Former-User said in TLD white list not working:

@wolfsden3 said in TLD white list not working:

Well thanks for the discussion, I learned a few things that I'll implement at other locations. Looks like they have 760k DNS queries per day on that FW. I'm not sure if that's a lot or not.

Minimizing DNS queries is my next project although the FW is doing it's job and fairly well I think.

I'll fart around with this. I'm not sure if other sites are experiencing this too. They might very well be.

Thanks again.

last thing i promise.

below i have screenshot and posted my firewall rules:

Floating:
float.png

WAN:
wan.png

LAN:
lan.png

GUESTVLAN:
guest.png

blacked out information is just rules for my openvpn

I just got to say I like your firewall arrangement...bravo!