Firewall: Aliases edit from console
-
Is there a known limit to the number of IPs you can have in an alias? We have about 205 in there nowโฆthe firewall takes forever to boot and the processor is pegged at 100%. No packages are installed. We're using the the Aliases to create an Allowed Internet users ACL with another alias for allowed ports. Also, the filter reload is hung on HTTPS.
-
As long as it's just IPs, you should be able to get away with somewhere around ~3000 I thought.
The filter reload status screen doesn't automatically refresh properly on 1.2.3, you have to reload the page manually.
Aliases shouldn't impact the load time unless you're using hostnames in them instead of IPs, but other things like having several VLANs can slow it down on 1.2.3
On 2.0 it's not an issue.
-
Hmmm.. any idea why the processor would be pegged at 100%?
-
Do you have polling enabled?
-
"Use Device Polling" is not enabled.
-
From the console, look at the output of:
top -SH -
-
Do you have Captive Portal enabled? And a bunch of connected CP clients?
Or do you have one of the "country block" or "ip block" packages installed? One of those (ab)used ipfw to load a bunch of IPs and it would do something like that.
-
Captive Portal is not enabled. No packages are installed. Fresh install as of last night.
-
ipfw wouldn't be running unless something loaded it. It doesn't load by default on a stock install.
-
What about restoring the configuration from a backup (without any packages)?
DHCP Server and IPSec are enabled, but no 3rd party packages are installed.
-
I think scheduled rules will also hit ipfw. Got any of those?
-
No. But Firewall > Schedule had an Always rule? I deleted it, but it didn't help.
Plus, Filter Reload is still saying "Creating rule HTTPS".
-
After you deleted the schedules, you may have to reboot
-
Looks like that did it. Back to 0% usage. Thanks for your help.
