Running out of memory on SG-1100 on pfblockerng updates

stephenw10

Enabling SWAP on the SG-1100 would not be at all straight forward if it's in fact possible.
But it would be a bad idea anyway. The eMMC would likely be horribly slow for use as SWAP and it would massively increase the write cycles.

In general if you see pfSense using SWAP on systems that have it enabled it's usually a sign that something is misconfigured anyway.

Steve

nheath

@stephenw10 That is what I was curious about.

The data point about unbound being stopped during the update may be the actual issue as it takes the SG-1110 a long time to parse.

Gertjan

Exact.

The size of this list :

should be reasonable.
That is, a "8 core 3Ghz 32 Gbytes RAM" system could handle more as a SG 1100. Up to you to decide when you reach the point of saturation.
Normally, pfBlockerNG-devel shouldn't restart unbound to often :

/var/log: grep 'Restart' resolver.log
.....
Oct 16 16:01:02 pfsense unbound: [68926:0] notice: Restart of unbound 1.10.1.

= 7 days for me.

nheath

@Gertjan I was under the impression that it reloads unbound on the cron schedule (though I thought I have mine set for 3am but it seems to do it at midnight still) and the update schedule for each list (weekly, daily).

Gertjan

Check who is actually restarting Unbound ;)

stephenw10

Unbound loads a test file before it restarts to be sure it is valid and that requires holding double the config in RAM at that point. That's why it sometimes fails to update but RAM usage looks OK once it's running.
pfBlocker updates the lists on the Cron schedule but will not restart Unbound if there has been no change to them.

Steve

DaddyGo

@stephenw10 said in Running out of memory on SG-1100 on pfblockerng updates:

pfBlocker updates the lists on the Cron schedule but will not restart Unbound if there has been no change to them.

Hi Steve,

yes this is true, but honestly -when there is no change (a tiny) in the lists...?

I have to say, that out of the 100 update forced by cron the UNBOUND restarts 90 times...

stephenw10

For most lists that's true, they are usually quite dynamic. But certainly not all. It just depends what lists you're using. And remember that's only the lists for DNS-BL not the IP lists.

Steve

DaddyGo

@stephenw10 said in Running out of memory on SG-1100 on pfblockerng updates:

But certainly not all.

Yes, yes I agree, but

I will only present the facts which we observed....
My opinion is, use a list that is well maintained, so your/his/her "update frequency" should be at least a couple of days or a week

otherwise the lists, which are old or unmaintained, do not serve their purpose and not to mention the many FPs they can cause....

stephenw10

I agree. But if you have pfBlocker set to update lists every hour I would not expect it to restart Unbound every time.

Steve