WAN Going Down and Some Errors
-
(Thanks in advance for your time and help)
I've run a few iterations of pfSense all flawless so until now.
I'm currently on release 2.4.3 running on the following device (no issues in the last year and a half.
https://www.amazon.com/gp/product/B0742P83HY/ref=ppx_yo_dt_b_asin_title_o04_s00?ie=UTF8&psc=1
The issue is that I'm beginning to lose connection to the WAN, although a reboot sets it straight again.
Below is a small list of notifications from pfSense:
Filter Reload
There were error(s) loading the rules: /tmp/rules.debug:19: cannot define table bogonsv6: Cannot allocate memory - The line in question reads [19]: table <bogonsv6> persist file "/etc/bogonsv6" @ 2020-02-07 15:29:44 There were error(s) loading the rules: /tmp/rules.debug:19: cannot define table bogonsv6: Cannot allocate memory - The line in question reads [19]: table <bogonsv6> persist file "/etc/bogonsv6" @ 2020-02-07 15:29:49 There were error(s) loading the rules: /tmp/rules.debug:19: cannot define table bogonsv6: Cannot allocate memory - The line in question reads [19]: table <bogonsv6> persist file "/etc/bogonsv6" @ 2020-02-07 15:30:00 There were error(s) loading the rules: /tmp/rules.debug:19: cannot define table bogonsv6: Cannot allocate memory - The line in question reads [19]: table <bogonsv6> persist file "/etc/bogonsv6" @ 2020-02-09 21:01:13 There were error(s) loading the rules: /tmp/rules.debug:19: cannot define table bogonsv6: Cannot allocate memory - The line in question reads [19]: table <bogonsv6> persist file "/etc/bogonsv6" @ 2020-02-09 21:01:17 There were error(s) loading the rules: /tmp/rules.debug:19: cannot define table bogonsv6: Cannot allocate memory - The line in question reads [19]: table <bogonsv6> persist file "/etc/bogonsv6" @ 2020-02-09 21:01:22 There were error(s) loading the rules: /tmp/rules.debug:19: cannot define table bogonsv6: Cannot allocate memory - The line in question reads [19]: table <bogonsv6> persist file "/etc/bogonsv6" @ 2020-02-09 21:01:24
-
you're out of memory
you really are stubborn....
-
Lol. I suppose I am. Thank you...
OK so the issue now is how could I possibly be out of memory?
The device has a 32gb drive and 4gb ram....
How do I rectify?
Thank you again!!!
-
You're on a pretty old version so the max table size is probably too small for the v6 bogon table (which is huge!).
Go to Sys > Adv > Firewall and set
Firewall Maximum Table Entries
to 400000.You should upgrade when you can.
Steve
-
Will-do and thank you again. 2.4.4 is the version I should be on, correct?
-
UPDATE:
I went ahead and set the table entries to a max of 400k but same issue. The system has run flawlessly for the last year and a half or so.
EDIT: Could this be hardware failure (ie the RAM itself)? -
Unlikely bad RAM. More likely the v6 bogons table is just too large.
Do you actually use IPv6? On inbound connections?
You can just remove the block bogons rule from any interface that has IPv6. Inbound traffic is blocked by default anyway on WANs.Steve
-
Apologies for the ignorance...This is what I'm looking at. It seems I can't select either rule, nor can I drag to change the load order.
-
You would remove the rfc1918 and bogon rules on the interface settings an not the firewall interface rules.
Did you update to 2.4.4p3 and up the amount of entries for your tables.. 400k sometimes is not enough..
-
@stubborngreek Clicking the actions would allow you to make changes, although those are default settings...see image below! It will take you to the Interface settings John mentioned.
-
@NollipfSense on a side note what is the purpose of all those block lists on your wan? Your just blocking them from hitting your 1 open vpn port? But what is odd is you don' show any hits on even your vpn connection.. did you reset the counters or something?
Wouldn't it just be easier to setup allow only from the country your coming from vs trying to block all the bad guys?
-
@johnpoz They were part of pfBlockerNG list that I enabled so I let them be. I haven't finished setting up VPN yet...I had tried and was getting "could not authenticate." Then, I upgraded to pfSense 2.5-dev. I will get back to the VPN soon...I had meant to set up VPN schedule...meanwhile I will disable the VPN.
-
Any solution.....I have same issue.
(Netgate SG-3100, Ver. 2.4.5, 25% of memory used overall)Have read nomerous similar cases, where solution is to raise maximum number on 'Firewall Maximum Table Entries' and do a filter reload. Still recieve same error:
rc.filter_configure_sync: New alert found: There were error(s) loading the rules: /tmp/rules.debug:20: cannot define table bogonsv6: Cannot allocate memory - The line in question reads [20]: table <bogonsv6> persist file "/etc/bogonsv6"
Have disabled PfBlocker, reloaded, same error.
Now i have changed the update settings for 'Bogon Networks' on 'Firewall & NAT' to daily due to recent update to version 2.4.5. The standard setting is pr. week. Im thinking new maximun number needs to be overwritten by system. I will see if this solves the problem.
If any other finds the solution, please post. Many thanks in advance. -
@Marty-McFly Still no solution. Have raised maximum value to 900.000 etc, but have same error. Hope someone has a solution out there.
-
Do you need to filter inbound bogons specifically? If not then one solution here is to just uncheck block-bogons. All inbound traffic is filtered by default anyway.
Steve
-
@stephenw10 thx, yes You have a point. Have disabled Bogons on the WAN side. That did removed the continous errors in the log, but not the cause of the error.
I have however, ended up with yet another error, very similar to previous one.
rc.filter_configure_sync: New alert found: There were error(s) loading the rules: /tmp/rules.debug:24: cannot define table pfB_Top_v4: Cannot allocate memory - The line in question reads [24]: table <pfB_Top_v4> persist file "/var/db/aliastables/pfB_Top_v4.txt"
I remove entries on the IPv4 Custom list which i had, took the Aliases URL's and removed them there, and reloded the Update job on pfBlockerNG. Still recieve same error.
Have disabled all of pfBlockerNG and re-enabled it, to see if it would change through an overwrite. Still recieve same error.
Hope you still are up for yet another shot at this. Many thanks in advance. -
@Marty-McFly said in WAN Going Down and Some Errors:
Cannot allocate memory
Turn off all your tables! they must be HUGE if you can not allocate memory if you have it set to 900000.. Set it to 1800000 then.. I have mine set at 1600000... And I don't use bogon, I have no use for them, since I only allow IPs from the US and Honduras to hit my plex.. Clearly those are not bogon, so have no use for that table..
-
@johnpoz Thx, for your reply. With the fearfull thought, not to 'jinks-it too much', it seems to have done the trick. I was not sure i could (should) raise the value too much. On the other hand, guess your right about the size off the table, as me trying to prevent as much comercial jitter through pfBlocker. I raised the value to 1800000 for now, and are waiting to see if there is any downside too it. Many thanks for your help.
-
Here is the thing, if your ONLY going to allow what is in your tables to hit your port forwards, then bogon make no sense at all to use or populate the table even. Bogon IPv6 is a HUGE table.. ipv4 not so much, and getting smaller every day to be honest and the rest of the IPv4 space gets used up.
If you were using any that could be allowed to your ports, then ok bogon would make some some sense... Then again bogon's are network that are not suppose to route on the internet.. So you really should never see any traffic from them.
Trying to block the whole freaking internet is a lost cause.. Allow what you want, it is going to be much smaller table, then every single bad guy IP out there ;)
-
@johnpoz yes, i agree. However, im in denial, because i belive i somehow can minimize the impact by blocking advertisment sites and such. Im an old dinasaurus fighting back. Please bear with me.
Have now trolled my pfBlocker settings and cleaned my act. That too helped a lot.... All together, things are starting to look good.
-
Well the lists for ads and malware are not all that big.. Its when you start clicking on every possible list that the tables get out of hand ;)
I do all my outbound blocking of ads and such on pihole. I use pfblocker for geoip lists.. Not that pfblocker can not do it - but I like the eyecandy with pihole better.. I can see what each device is looking up.. And it runs on a pi with very little resources without any issues at all, since really all that little box is doing is the dns blocking.
-
@johnpoz i might have to look that way. Have done more cleaning on pfBlocker, and it looks even better now. Do have a vmWare avaiable at hand, might just throw one pihole in there....Thank you very much for input.
-
Well, after a detour im back to pfBlocker. Pi-Hole is really nice, i installed a Ubuntu/Pi-Hole solution on my vmWare server, and it ran just great. I have however, persued the pfBlocker option, because i would like one box to handle my traffic. Therefore i found a solution on handling pfBlocker errors, i think (so far, so good)
My error consisted of this error,.
rc.filter_configure_sync: New alert found: There were error(s) loading the rules: /tmp/rules.debug:24: cannot define table pfB_Top_v4: Cannot allocate memory - The line in question reads [24]: table <pfB_Top_v4> persist file "/var/db/aliastables/pfB_Top_v4.txt"i therefore thought i needed to remove all pfBlocker (uninstalled it) and removed all tables inside the tables. with this command.
pfctl -t pfB -T kill
and for my specific filter table, i also cleaned:pfctl -t pfB_Top_v4 -T kill
No luck...still memory error log flooding, like before.
I then found out i could reach out to Netgate support and have a reinstall-image for my SG-3100 device.
The reason for this thought, was that originaly came from a vmWare pfSense to a hardware device, and the configuration might have saved broken references.After a reinstall, i choose to configure everything from scratch. Rules, Vpn etc.
and then i started to configure PfBlocker. Choose NOT to use the wizard!- Enabled pfBlocker and choose the first four feeds in ip blocking. Choose to use enable the free once, and ALIAS DENY setting.
- Enabled the DNBL first four feeds, did some DNSBL whitelist ex. onedrive.com, office.com etc.
- did the update routine.
- configured the firewalls rules for each of the ALIAS (choose firewall, and URL) (probely like the wizard will do)
and found out along the way, some similar errors occured. (memory error)
I then increased the Firewall Maximum Table Entries to 9000000.
still same log error. I then configured the WAN block rule for the ALIAS ex.
only to hit the firewall itself, and not ANY in destination. That did the trick for me.
I came to think that the block rule might run Promiscuous mode, and that could be the reason. Im not completly sure about all of this, but the firewall have never been better, and the pfBlocker is running well, and doing the job.When ever i feel more confident with the perfomance, i will increase the numer of feeds accordingly.
Hope this may help someone else the way. -
There is an open bug which almost certainly covers this: https://redmine.pfsense.org/issues/10310
I'm not sure the situation you have ended up with is actually helping you much.
You seem to be blocking traffic coming into the WAN to the firewall itself only?
That traffic is blocked by default anyway unless you're allowing it in other rules we can't see there?
pfBlocker by default will apply that list outbound on WAN as well via floating rules which does prevent internal hosts connecting to them.
Steve
-
@Marty-McFly said in WAN Going Down and Some Errors:
because i would like one box to handle my traffic
Your pihole was running on vm, so its not a new "box" And pfsense is handling your traffic.. pihole is just dns.. Doesn't handle your "traffic"
Do you not have switch(es), do you not have AP(s), do you not have modem.. You are already not one-box-shop are you? Unless all you had was a soho gateway and no wired devices other than the 4 ports on it.. Your have moved away from the onebox does everything model anyway ;)
-
@johnpoz guess your right...One-box solution statement is not as adequate as i thought...whereas im please with the setup right now. I do miss the PiHole dashboard, much better, but for now i live with the little widget on my pfsense frontpage.
-
If you haven't already got your issue with the bogonv6 table figured out, could you try something.
See what your free kmem is at - Diagnostic -> command prompt -> execute "sysctrl vm.kmem_map_free"
Also, are you using the ramdisk feature? If so, what do you have it set at?
I ran into this error because I had my ramdisk set too close to the max, and reloading the bogonsv6 table takes something like 16Mb to 32Mb of kmem. It doesn't matter what your max table entries is set to, if you don't have the kmem available to house the tables it seems.
The SG-3100 seems to have a very limited pool of kmem.
Thanks
Josh -
@stompro thanks for your answer. Im not able to execute the commands, does not seem to work, or i might do it wrong. So im not able to see the kmem layout. But you might have a good point.
btw: I'm not using the ramdisk option at the moment. -
-
@stompro sorry for late posting, my internetprovider have had two days with problems due to power-outage in my area.
Result of the <sysctl vm.kmem_map_free> command
"vm.kmem_map_free: 218554368" so guess thats ok...?