WAN Going Down and Some Errors
-
Any solution.....I have same issue.
(Netgate SG-3100, Ver. 2.4.5, 25% of memory used overall)Have read nomerous similar cases, where solution is to raise maximum number on 'Firewall Maximum Table Entries' and do a filter reload. Still recieve same error:
rc.filter_configure_sync: New alert found: There were error(s) loading the rules: /tmp/rules.debug:20: cannot define table bogonsv6: Cannot allocate memory - The line in question reads [20]: table <bogonsv6> persist file "/etc/bogonsv6"
Have disabled PfBlocker, reloaded, same error.
Now i have changed the update settings for 'Bogon Networks' on 'Firewall & NAT' to daily due to recent update to version 2.4.5. The standard setting is pr. week. Im thinking new maximun number needs to be overwritten by system. I will see if this solves the problem.
If any other finds the solution, please post. Many thanks in advance. -
@Marty-McFly Still no solution. Have raised maximum value to 900.000 etc, but have same error. Hope someone has a solution out there.
-
Do you need to filter inbound bogons specifically? If not then one solution here is to just uncheck block-bogons. All inbound traffic is filtered by default anyway.
Steve
-
@stephenw10 thx, yes You have a point. Have disabled Bogons on the WAN side. That did removed the continous errors in the log, but not the cause of the error.
I have however, ended up with yet another error, very similar to previous one.
rc.filter_configure_sync: New alert found: There were error(s) loading the rules: /tmp/rules.debug:24: cannot define table pfB_Top_v4: Cannot allocate memory - The line in question reads [24]: table <pfB_Top_v4> persist file "/var/db/aliastables/pfB_Top_v4.txt"
I remove entries on the IPv4 Custom list which i had, took the Aliases URL's and removed them there, and reloded the Update job on pfBlockerNG. Still recieve same error.
Have disabled all of pfBlockerNG and re-enabled it, to see if it would change through an overwrite. Still recieve same error.
Hope you still are up for yet another shot at this. Many thanks in advance. -
@Marty-McFly said in WAN Going Down and Some Errors:
Cannot allocate memory
Turn off all your tables! they must be HUGE if you can not allocate memory if you have it set to 900000.. Set it to 1800000 then.. I have mine set at 1600000... And I don't use bogon, I have no use for them, since I only allow IPs from the US and Honduras to hit my plex.. Clearly those are not bogon, so have no use for that table..
-
@johnpoz Thx, for your reply. With the fearfull thought, not to 'jinks-it too much', it seems to have done the trick. I was not sure i could (should) raise the value too much. On the other hand, guess your right about the size off the table, as me trying to prevent as much comercial jitter through pfBlocker. I raised the value to 1800000 for now, and are waiting to see if there is any downside too it. Many thanks for your help.
-
Here is the thing, if your ONLY going to allow what is in your tables to hit your port forwards, then bogon make no sense at all to use or populate the table even. Bogon IPv6 is a HUGE table.. ipv4 not so much, and getting smaller every day to be honest and the rest of the IPv4 space gets used up.
If you were using any that could be allowed to your ports, then ok bogon would make some some sense... Then again bogon's are network that are not suppose to route on the internet.. So you really should never see any traffic from them.
Trying to block the whole freaking internet is a lost cause.. Allow what you want, it is going to be much smaller table, then every single bad guy IP out there ;)
-
@johnpoz yes, i agree. However, im in denial, because i belive i somehow can minimize the impact by blocking advertisment sites and such. Im an old dinasaurus fighting back. Please bear with me.
Have now trolled my pfBlocker settings and cleaned my act. That too helped a lot.... All together, things are starting to look good.
-
Well the lists for ads and malware are not all that big.. Its when you start clicking on every possible list that the tables get out of hand ;)
I do all my outbound blocking of ads and such on pihole. I use pfblocker for geoip lists.. Not that pfblocker can not do it - but I like the eyecandy with pihole better.. I can see what each device is looking up.. And it runs on a pi with very little resources without any issues at all, since really all that little box is doing is the dns blocking.
-
@johnpoz i might have to look that way. Have done more cleaning on pfBlocker, and it looks even better now. Do have a vmWare avaiable at hand, might just throw one pihole in there....Thank you very much for input.
-
Well, after a detour im back to pfBlocker. Pi-Hole is really nice, i installed a Ubuntu/Pi-Hole solution on my vmWare server, and it ran just great. I have however, persued the pfBlocker option, because i would like one box to handle my traffic. Therefore i found a solution on handling pfBlocker errors, i think (so far, so good)
My error consisted of this error,.
rc.filter_configure_sync: New alert found: There were error(s) loading the rules: /tmp/rules.debug:24: cannot define table pfB_Top_v4: Cannot allocate memory - The line in question reads [24]: table <pfB_Top_v4> persist file "/var/db/aliastables/pfB_Top_v4.txt"i therefore thought i needed to remove all pfBlocker (uninstalled it) and removed all tables inside the tables. with this command.
pfctl -t pfB -T kill
and for my specific filter table, i also cleaned:pfctl -t pfB_Top_v4 -T kill
No luck...still memory error log flooding, like before.
I then found out i could reach out to Netgate support and have a reinstall-image for my SG-3100 device.
The reason for this thought, was that originaly came from a vmWare pfSense to a hardware device, and the configuration might have saved broken references.After a reinstall, i choose to configure everything from scratch. Rules, Vpn etc.
and then i started to configure PfBlocker. Choose NOT to use the wizard!- Enabled pfBlocker and choose the first four feeds in ip blocking. Choose to use enable the free once, and ALIAS DENY setting.
- Enabled the DNBL first four feeds, did some DNSBL whitelist ex. onedrive.com, office.com etc.
- did the update routine.
- configured the firewalls rules for each of the ALIAS (choose firewall, and URL) (probely like the wizard will do)
and found out along the way, some similar errors occured. (memory error)
I then increased the Firewall Maximum Table Entries to 9000000.
still same log error. I then configured the WAN block rule for the ALIAS ex.
only to hit the firewall itself, and not ANY in destination. That did the trick for me.
I came to think that the block rule might run Promiscuous mode, and that could be the reason. Im not completly sure about all of this, but the firewall have never been better, and the pfBlocker is running well, and doing the job.When ever i feel more confident with the perfomance, i will increase the numer of feeds accordingly.
Hope this may help someone else the way. -
There is an open bug which almost certainly covers this: https://redmine.pfsense.org/issues/10310
I'm not sure the situation you have ended up with is actually helping you much.
You seem to be blocking traffic coming into the WAN to the firewall itself only?
That traffic is blocked by default anyway unless you're allowing it in other rules we can't see there?
pfBlocker by default will apply that list outbound on WAN as well via floating rules which does prevent internal hosts connecting to them.
Steve
-
@Marty-McFly said in WAN Going Down and Some Errors:
because i would like one box to handle my traffic
Your pihole was running on vm, so its not a new "box" And pfsense is handling your traffic.. pihole is just dns.. Doesn't handle your "traffic"
Do you not have switch(es), do you not have AP(s), do you not have modem.. You are already not one-box-shop are you? Unless all you had was a soho gateway and no wired devices other than the 4 ports on it.. Your have moved away from the onebox does everything model anyway ;)
-
@johnpoz guess your right...One-box solution statement is not as adequate as i thought...whereas im please with the setup right now. I do miss the PiHole dashboard, much better, but for now i live with the little widget on my pfsense frontpage.
-
If you haven't already got your issue with the bogonv6 table figured out, could you try something.
See what your free kmem is at - Diagnostic -> command prompt -> execute "sysctrl vm.kmem_map_free"
Also, are you using the ramdisk feature? If so, what do you have it set at?
I ran into this error because I had my ramdisk set too close to the max, and reloading the bogonsv6 table takes something like 16Mb to 32Mb of kmem. It doesn't matter what your max table entries is set to, if you don't have the kmem available to house the tables it seems.
The SG-3100 seems to have a very limited pool of kmem.
Thanks
Josh -
@stompro thanks for your answer. Im not able to execute the commands, does not seem to work, or i might do it wrong. So im not able to see the kmem layout. But you might have a good point.
btw: I'm not using the ramdisk option at the moment. -
-
@stompro sorry for late posting, my internetprovider have had two days with problems due to power-outage in my area.
Result of the <sysctl vm.kmem_map_free> command
"vm.kmem_map_free: 218554368" so guess thats ok...?