WAN Going Down and Some Errors

johnpoz

Here is the thing, if your ONLY going to allow what is in your tables to hit your port forwards, then bogon make no sense at all to use or populate the table even. Bogon IPv6 is a HUGE table.. ipv4 not so much, and getting smaller every day to be honest and the rest of the IPv4 space gets used up.

If you were using any that could be allowed to your ports, then ok bogon would make some some sense... Then again bogon's are network that are not suppose to route on the internet.. So you really should never see any traffic from them.

Trying to block the whole freaking internet is a lost cause.. Allow what you want, it is going to be much smaller table, then every single bad guy IP out there ;)

Marty McFly

@johnpoz yes, i agree. However, im in denial, because i belive i somehow can minimize the impact by blocking advertisment sites and such. Im an old dinasaurus fighting back. Please bear with me.

Have now trolled my pfBlocker settings and cleaned my act. That too helped a lot.... All together, things are starting to look good.

johnpoz

Well the lists for ads and malware are not all that big.. Its when you start clicking on every possible list that the tables get out of hand ;)

I do all my outbound blocking of ads and such on pihole. I use pfblocker for geoip lists.. Not that pfblocker can not do it - but I like the eyecandy with pihole better.. I can see what each device is looking up.. And it runs on a pi with very little resources without any issues at all, since really all that little box is doing is the dns blocking.

Marty McFly

@johnpoz i might have to look that way. Have done more cleaning on pfBlocker, and it looks even better now. Do have a vmWare avaiable at hand, might just throw one pihole in there....Thank you very much for input.

Marty McFly

Well, after a detour im back to pfBlocker. Pi-Hole is really nice, i installed a Ubuntu/Pi-Hole solution on my vmWare server, and it ran just great. I have however, persued the pfBlocker option, because i would like one box to handle my traffic. Therefore i found a solution on handling pfBlocker errors, i think (so far, so good)

My error consisted of this error,.
rc.filter_configure_sync: New alert found: There were error(s) loading the rules: /tmp/rules.debug:24: cannot define table pfB_Top_v4: Cannot allocate memory - The line in question reads [24]: table <pfB_Top_v4> persist file "/var/db/aliastables/pfB_Top_v4.txt"

i therefore thought i needed to remove all pfBlocker (uninstalled it) and removed all tables inside the tables. with this command.

pfctl -t pfB -T kill
and for my specific filter table, i also cleaned:

pfctl -t pfB_Top_v4 -T kill

No luck...still memory error log flooding, like before.
I then found out i could reach out to Netgate support and have a reinstall-image for my SG-3100 device.
The reason for this thought, was that originaly came from a vmWare pfSense to a hardware device, and the configuration might have saved broken references.

After a reinstall, i choose to configure everything from scratch. Rules, Vpn etc.
and then i started to configure PfBlocker. Choose NOT to use the wizard!

1. Enabled pfBlocker and choose the first four feeds in ip blocking. Choose to use enable the free once, and ALIAS DENY setting.
2. Enabled the DNBL first four feeds, did some DNSBL whitelist ex. onedrive.com, office.com etc.
3. did the update routine.
4. configured the firewalls rules for each of the ALIAS (choose firewall, and URL) (probely like the wizard will do)

and found out along the way, some similar errors occured. (memory error)
I then increased the Firewall Maximum Table Entries to 9000000.
still same log error. I then configured the WAN block rule for the ALIAS ex.

only to hit the firewall itself, and not ANY in destination. That did the trick for me.
I came to think that the block rule might run Promiscuous mode, and that could be the reason. Im not completly sure about all of this, but the firewall have never been better, and the pfBlocker is running well, and doing the job.

When ever i feel more confident with the perfomance, i will increase the numer of feeds accordingly.
Hope this may help someone else the way.

stephenw10

There is an open bug which almost certainly covers this: https://redmine.pfsense.org/issues/10310

I'm not sure the situation you have ended up with is actually helping you much.

You seem to be blocking traffic coming into the WAN to the firewall itself only?

That traffic is blocked by default anyway unless you're allowing it in other rules we can't see there?

pfBlocker by default will apply that list outbound on WAN as well via floating rules which does prevent internal hosts connecting to them.

Steve

johnpoz

@Marty-McFly said in WAN Going Down and Some Errors:

because i would like one box to handle my traffic

Your pihole was running on vm, so its not a new "box" And pfsense is handling your traffic.. pihole is just dns.. Doesn't handle your "traffic"

Do you not have switch(es), do you not have AP(s), do you not have modem.. You are already not one-box-shop are you? Unless all you had was a soho gateway and no wired devices other than the 4 ports on it.. Your have moved away from the onebox does everything model anyway ;)

Marty McFly

@johnpoz guess your right...One-box solution statement is not as adequate as i thought...whereas im please with the setup right now. I do miss the PiHole dashboard, much better, but for now i live with the little widget on my pfsense frontpage.

stompro

@Marty-McFly

If you haven't already got your issue with the bogonv6 table figured out, could you try something.

See what your free kmem is at - Diagnostic -> command prompt -> execute "sysctrl vm.kmem_map_free"

Also, are you using the ramdisk feature? If so, what do you have it set at?

I ran into this error because I had my ramdisk set too close to the max, and reloading the bogonsv6 table takes something like 16Mb to 32Mb of kmem. It doesn't matter what your max table entries is set to, if you don't have the kmem available to house the tables it seems.

The SG-3100 seems to have a very limited pool of kmem.

Thanks
Josh

Marty McFly

@stompro thanks for your answer. Im not able to execute the commands, does not seem to work, or i might do it wrong. So im not able to see the kmem layout. But you might have a good point.
btw: I'm not using the ramdisk option at the moment.

stompro

@Marty-McFly

Sorry, typo on my part, please try

sysctl vm.kmem_map_free

Josh

Marty McFly

@stompro sorry for late posting, my internetprovider have had two days with problems due to power-outage in my area.
Result of the <sysctl vm.kmem_map_free> command
"vm.kmem_map_free: 218554368" so guess thats ok...?