99% Memory Useage

BBcan177

So where to start well I have been running Pfsense for about 8 years now. the Problem I Am running in to is after a reset I get to about 99% memory Usage
and the network become's unstable a restart or setting Ram dsik fix's this. I can set up a Ram Disk but it gets used up. If i set up a ram disk does not use all my memory. This was a fresh install then backup applied . What happend was I did a hardware swap and then had a bad disk.
The hardware I came from was a Dell 2900v3 2x Xeon 4 cores Also due to to much power usage.
That's when this Problem start the old system did have 58Gb ECC of Ram.

Check out the following reddit thread and see if that helps:
https://www.reddit.com/r/PFSENSE/comments/9g9csi/pfblockerngdevel_high_cpu_usage/

Also try running the following top command:

top -aSH

Snowaks

Should I Do a restart after disable of Pf blocker ? Will take a look at the reddit post thanks guys!
Do you think the Cpu problem is just like the Ram one ? Hey I will try any thing with in reason.
My best fix yet is to set var/ to as a ram disk and it does not allow it to go over the set parameter.
Will Disable and update my post It takes around 2-3 day's to for the memory to hit 99%.
I change Cron to 4h set logging on unbound to level 3 as it was on level 2.

unbound-control -c /var/unbound/unbound.conf status (Edit2)

Snowaks

PFblockerNG Off for 1 day still showing 90% Plus

Snowaks

@bbcan177 said in 99% Memory Useage:

top -aSH

I mist your command as it was in black.

xciter327

Are Your sure it's not Surricata eating all the RAM?

P.S. - You could install htop with "pkg install htop". Might need a reboot to work(for me at least). There you can check in real time what's going on.

BBcan177

@xciter327 said in 99% Memory Useage:

Are Your sure it's not Surricata eating all the RAM?

Yes its definately Suricata .. you can see several PIDs for the same interface...

If you are using the package "Service Watchguard", do not add Snort/Suricata as it will try to restart the package when cron is updating the rules leading to phantom processes.

Snowaks

@bbcan177 @xciter327

I have used it in the past have not reinstalled it. Do to the memory problem and read some where about cron and problems with it
I can disable Suricata and will still get 99% I mean I may Be mistaken and end up with my foot in my mouth.
I will also do a reboot to clear the used Ram as this is the only way I have found to get it to back to normal.
If so I think it would be a good idea to add in a memory setting in general to only control the packages amount of Max used Ram?
I will Disable Suricata and add screen shots.

PS Is there a way to set per a package max used Ram in tunables?

Snowaks

@snowaks said in 99% Memory Useage:

top -aSH

xciter327

With Suricata disabled, do a reboot to make sure it's all clean.

P.S. - this is not related, but why run both unbound and dns forwarder?

Snowaks

I was Under the understanding that Unbound was for internal traffic Lan and forward was for Wan side incoming.
I had some problems get stuff to see some stuff from the outside the network
Did not matter what firewall rule/port forwarding I added. I read some where that you should enable
forwarder I did and the traffic worked. So I prayed to the Pfsense gods and walked a way with it up and happy.
Plex was the problem Program.

MoonKnight

@snowaks said in 99% Memory Useage:

I was Under the understanding that Unbound was for internal traffic Lan and forward was for Wan side incoming.
I had some problems get stuff to see some stuff from the outside the network
Did not matter what firewall rule/port forwarding I added. I read some where that you should enable
forwarder I did and the traffic worked. So I prayed to the Pfsense gods and walked a way with it up and happy.
Plex was the problem Program.

Hi,

Have you tried a clean install, without using your backup config?
Then just change your settings manually and add one package at the time.

stephenw10

Mmm, something is very wrong there. Try this. Run top -aSH at the command line, so probably via SSH.

Then when it's running hit o to change the sort order and then type size to sort by size. Hit q to quit. Copy paste that here.

Steve

Snowaks

Yes Cisco I have did not change. I've some how fixed the problem I have suricata on even higher setting.
Then I had be for when they where stock. Ive also install Squid proxy. like 12 more Pf blockers Lists so thing On pfsense side cause a memory leak.
I've been stable at 10-20% memory now With Lan/Wan with Suricata on high, Max pending packets on 10k.
Also Set Pattern Matcher Algorithm off auto to hyper scan. I did this to try and see if it Suricata Or to see if I
could get what was happening in 2-3day to happen in 1. Pf blocker was change to Dlev.

Snowaks

If you guys still want to see if I can reproduce the problem I can go back to bone stock suricata setup.
I also disable DNS Forwarder and just set unbound to do every thing it was split be for.
So maybe this was the cause and not the packages I can re enable DNS forwarder and see if my memory goes back to what was seen.

stephenw10

If you can pin down a memory leak it would be good to know about it.

Steve

Snowaks

Well with the Update to 2.4.4 I can not reproduce this memory leak not sure what was the root cause
but pretty sure it was Dns Unbound and Dns forwarder, Not playing nice with each other.
I have try removing the packages and just setting both to run.
I have no more use for forwarder so it is now disabled. Pretty much was using
Dns Forwarder to Query Dns servers sequentially. Not sure if I was ruing just a really odd
config or using some thing for that it was not its intended use. If this pop's up again I will install
my config on a 2nd system to do a test bench to find the problem.