Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfBlocker install memory issues and fake GeoIP blocks ?

    Scheduled Pinned Locked Moved pfBlockerNG
    7 Posts 2 Posters 102 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      njaimo
      last edited by njaimo

      I've been trying pfBlocker on my new hardware (32GB memory, 500GB NVMe, capable 8-core CPU), and I think there are issues with either the installation (or the GeoIP part of program itself ?) as I am getting outbound firewall blocks from pfB saying the destination IP is in Europe, when it is actually in the US, Canada.

      https://www.iplocation.net/ip-lookup

      165f67e3-e945-49bc-ba57-fdb0366bbb4c-image.png .

      When installing pfB I got the message below from pfSense (but I have 32GB of memory fully allocated to pfSense (it is a dedicated standalone machine, no VM, no docker). So I think the blocks I am getting is the result of a corrupted database within my machine ...? I do have several GEOIP selected, but seems my machine has enough memory and disk space to properly install, and run ?

      15.0-CURRENT
      FreeBSD 15.0-CURRENT #1 RELENG_2_8_0-n256081-401ec5f685b9: Wed May 21 23:53:51 UTC 2025 root@freebsd:/var/jenkins/workspace/pfSense-CE-snapshots-2_8_0-main/obj/amd64/0q9vjGjc/var/jenkins/workspace/pfSense-CE-snapshots-2_8_0-main/sources/FreeBSD-src-RE

      Crash report details:

      PHP Errors:
      [25-Jul-2025 00:59:32 America/Denver] PHP Fatal error: Allowed memory size of 536870912 bytes exhausted (tried to allocate 20480 bytes) in /usr/local/bin/kea2unbound on line 528

      S 1 Reply Last reply Reply Quote 0
      • S
        SteveITS Galactic Empire @njaimo
        last edited by

        IPv4 addresses "move" as blocks are bought and sold. It's possible MaxMind needs to update their data, which IIRC it does once a month.

        @njaimo said in pfBlocker install memory issues and fake GeoIP blocks ?:

        Allowed memory size of 536870912 bytes exhausted

        PHP has a memory limit. See thread https://forum.netgate.com/topic/198267/php-fatal-error-allowed-memory-size-of-536870912-bytes-exhausted for a discussion.

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        N 1 Reply Last reply Reply Quote 1
        • N
          njaimo @SteveITS
          last edited by

          @SteveITS Thank you for that !

          I checked the python ooption in DNS Resolver

          24af7e3e-921a-4add-841a-9f8c35a791ce-image.png

          and got the same error
          [25-Jul-2025 12:12:41 America/Denver] PHP Fatal error: Allowed memory size of 536870912 bytes exhausted (tried to allocate 20480 bytes) in /usr/local/bin/kea2unbound on line 528

          then I went to pfBlocker DNSBL and checked the phyton option, and did a forced update of pfBlocker

          75e363f7-66d4-4fdf-a156-e2669be6f755-image.png

          and got the next 3 errors...

          [25-Jul-2025 12:15:35 America/Denver] PHP Fatal error: Allowed memory size of 536870912 bytes exhausted (tried to allocate 20480 bytes) in /usr/local/bin/kea2unbound on line 528
          [25-Jul-2025 12:22:02 America/Denver] PHP Fatal error: Allowed memory size of 536870912 bytes exhausted (tried to allocate 20480 bytes) in /usr/local/bin/kea2unbound on line 528
          [25-Jul-2025 12:25:48 America/Denver] PHP Fatal error: Allowed memory size of 536870912 bytes exhausted (tried to allocate 20480 bytes) in /usr/local/bin/kea2unbound on line 528

          ...should I unistall pfB, and re-install ? all while leaving the DNS Resolver python setting on ? and then turning on again the DNSBL python setting on ? and then force reload ?

          ...not an expert here, just feeling my way through and hoping to learn...

          S 1 Reply Last reply Reply Quote 0
          • S
            SteveITS Galactic Empire @njaimo
            last edited by

            @njaimo Since you have a lot of RAM you can try raising the PHP memory limit mentioned there. What is needed will depend on how big the lists are that you are trying to process, and whatever else is processing in PHP.

            Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
            When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
            Upvote 👍 helpful posts!

            N 1 Reply Last reply Reply Quote 1
            • N
              njaimo @SteveITS
              last edited by

              @SteveITS Thanks again for the replies. So just went and added a GeoIP item that I had disabled earlier, and did a forced update of pfB -- no memory errors this time. Also noticed my CPU usage is markedly lower than it was before enabling python... maybe things are working OK now...

              ...one more question ? -- the DNS Resolver python options show 'pre-validator" or post-validator", is there any preference for using pfB ?

              S 1 Reply Last reply Reply Quote 0
              • S
                SteveITS Galactic Empire @njaimo
                last edited by

                @njaimo There's a note on https://docs.netgate.com/pfsense/en/latest/services/dns/resolver-config.html

                Python Module Order:

                Controls the position of the Python module in the DNS resolution process. If DNSSEC is disabled, this option has no effect.

Pre Validator:

    The script is run before DNSSEC validation.
Post Validator:

    The script is run after DNSSEC validation.

                Since we normally forward (to Quad9) we disable DNSSEC.

                Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                Upvote 👍 helpful posts!

                N 1 Reply Last reply Reply Quote 1
                • N
                  njaimo @SteveITS
                  last edited by

                  @SteveITS ...got it, I should have looked in the docs... I do too use Quad9 and have DNSSEC disabled, so I guess my question is pointless..

                  Thank you for all the help.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.