WAN Going Down and Some Errors
-
you're out of memory
you really are stubborn....
-
Lol. I suppose I am. Thank you...
OK so the issue now is how could I possibly be out of memory?
The device has a 32gb drive and 4gb ram....
How do I rectify?
Thank you again!!!
-
You're on a pretty old version so the max table size is probably too small for the v6 bogon table (which is huge!).
Go to Sys > Adv > Firewall and set
Firewall Maximum Table Entries
to 400000.You should upgrade when you can.
Steve
-
Will-do and thank you again. 2.4.4 is the version I should be on, correct?
-
UPDATE:
I went ahead and set the table entries to a max of 400k but same issue. The system has run flawlessly for the last year and a half or so.
EDIT: Could this be hardware failure (ie the RAM itself)? -
Unlikely bad RAM. More likely the v6 bogons table is just too large.
Do you actually use IPv6? On inbound connections?
You can just remove the block bogons rule from any interface that has IPv6. Inbound traffic is blocked by default anyway on WANs.Steve
-
Apologies for the ignorance...This is what I'm looking at. It seems I can't select either rule, nor can I drag to change the load order.
-
You would remove the rfc1918 and bogon rules on the interface settings an not the firewall interface rules.
Did you update to 2.4.4p3 and up the amount of entries for your tables.. 400k sometimes is not enough..
-
@stubborngreek Clicking the actions would allow you to make changes, although those are default settings...see image below! It will take you to the Interface settings John mentioned.
-
@NollipfSense on a side note what is the purpose of all those block lists on your wan? Your just blocking them from hitting your 1 open vpn port? But what is odd is you don' show any hits on even your vpn connection.. did you reset the counters or something?
Wouldn't it just be easier to setup allow only from the country your coming from vs trying to block all the bad guys?
-
@johnpoz They were part of pfBlockerNG list that I enabled so I let them be. I haven't finished setting up VPN yet...I had tried and was getting "could not authenticate." Then, I upgraded to pfSense 2.5-dev. I will get back to the VPN soon...I had meant to set up VPN schedule...meanwhile I will disable the VPN.
-
Any solution.....I have same issue.
(Netgate SG-3100, Ver. 2.4.5, 25% of memory used overall)Have read nomerous similar cases, where solution is to raise maximum number on 'Firewall Maximum Table Entries' and do a filter reload. Still recieve same error:
rc.filter_configure_sync: New alert found: There were error(s) loading the rules: /tmp/rules.debug:20: cannot define table bogonsv6: Cannot allocate memory - The line in question reads [20]: table <bogonsv6> persist file "/etc/bogonsv6"
Have disabled PfBlocker, reloaded, same error.
Now i have changed the update settings for 'Bogon Networks' on 'Firewall & NAT' to daily due to recent update to version 2.4.5. The standard setting is pr. week. Im thinking new maximun number needs to be overwritten by system. I will see if this solves the problem.
If any other finds the solution, please post. Many thanks in advance. -
@Marty-McFly Still no solution. Have raised maximum value to 900.000 etc, but have same error. Hope someone has a solution out there.
-
Do you need to filter inbound bogons specifically? If not then one solution here is to just uncheck block-bogons. All inbound traffic is filtered by default anyway.
Steve
-
@stephenw10 thx, yes You have a point. Have disabled Bogons on the WAN side. That did removed the continous errors in the log, but not the cause of the error.
I have however, ended up with yet another error, very similar to previous one.
rc.filter_configure_sync: New alert found: There were error(s) loading the rules: /tmp/rules.debug:24: cannot define table pfB_Top_v4: Cannot allocate memory - The line in question reads [24]: table <pfB_Top_v4> persist file "/var/db/aliastables/pfB_Top_v4.txt"
I remove entries on the IPv4 Custom list which i had, took the Aliases URL's and removed them there, and reloded the Update job on pfBlockerNG. Still recieve same error.
Have disabled all of pfBlockerNG and re-enabled it, to see if it would change through an overwrite. Still recieve same error.
Hope you still are up for yet another shot at this. Many thanks in advance. -
@Marty-McFly said in WAN Going Down and Some Errors:
Cannot allocate memory
Turn off all your tables! they must be HUGE if you can not allocate memory if you have it set to 900000.. Set it to 1800000 then.. I have mine set at 1600000... And I don't use bogon, I have no use for them, since I only allow IPs from the US and Honduras to hit my plex.. Clearly those are not bogon, so have no use for that table..
-
@johnpoz Thx, for your reply. With the fearfull thought, not to 'jinks-it too much', it seems to have done the trick. I was not sure i could (should) raise the value too much. On the other hand, guess your right about the size off the table, as me trying to prevent as much comercial jitter through pfBlocker. I raised the value to 1800000 for now, and are waiting to see if there is any downside too it. Many thanks for your help.
-
Here is the thing, if your ONLY going to allow what is in your tables to hit your port forwards, then bogon make no sense at all to use or populate the table even. Bogon IPv6 is a HUGE table.. ipv4 not so much, and getting smaller every day to be honest and the rest of the IPv4 space gets used up.
If you were using any that could be allowed to your ports, then ok bogon would make some some sense... Then again bogon's are network that are not suppose to route on the internet.. So you really should never see any traffic from them.
Trying to block the whole freaking internet is a lost cause.. Allow what you want, it is going to be much smaller table, then every single bad guy IP out there ;)
-
@johnpoz yes, i agree. However, im in denial, because i belive i somehow can minimize the impact by blocking advertisment sites and such. Im an old dinasaurus fighting back. Please bear with me.
Have now trolled my pfBlocker settings and cleaned my act. That too helped a lot.... All together, things are starting to look good.
-
Well the lists for ads and malware are not all that big.. Its when you start clicking on every possible list that the tables get out of hand ;)
I do all my outbound blocking of ads and such on pihole. I use pfblocker for geoip lists.. Not that pfblocker can not do it - but I like the eyecandy with pihole better.. I can see what each device is looking up.. And it runs on a pi with very little resources without any issues at all, since really all that little box is doing is the dns blocking.