Firwall Maximum Table Entries



  • Hi , I need your help please !

    I have a server with 50 Giga for RAM, I installed my Pfsense on this server
    I have 2 test vlan connected to PfSense. before i had a problem: all are well but i have no connection, the problem was: Firewall Maximum Table Entries. when I increased it, the problem is solved. but sometimes the pfsense blocks and I still have to modify this table for it to work

    I read on the forum that 1Giga of RAM corresponds to 1 000 000 in
    Firewall Maximum Table Entries

    so I put the value at 45,000,000, and I have the connection on a single Vlan, and it does not work with the 2 nd Vlan. while I have not a big traffic, I have only 2 PC / DHCP / Interface for the CARP. I do not understand why the table is full.

    and what should I do?


  • Netgate

    Firewall Maximum Table Entries is for tables (contents of aliases, etc). There was an issue not long ago where the bogonsv6 table outgrew the default size of 200000 so the default was increased to 400000. Setting that to 45,000,000 seems ludicrous.

    Don't confuse that with Firewall Maximum States which is the state tracking table size. If you run a system with millions and millions of states you can expect some trouble viewing states, etc.

    You will need a system to keep up with inserting/deleting states etc.

    Maybe it would be better if you explained exactly what you were trying to do instead. Zero idea what you intend to accomplish in 50G RAM.



  • Hi ,
    why do you say it' seems ludicrous to set the table at 45 million? here is the answer on your forum https://forum.netgate.com/topic/35054/pfsense-2-0-firewall-maximum-states-firewall-maximum-table-entries/2, if the table depends on the RAM as you say it on the Forum, so there is no problem to increase it.

    I changed the value now, I put 400,000, but it does not work. i Really dont know what i have to do .
    I choose a server with 50G RAM to be sure he'll endure the traffic, because there will be 500 users


  • Netgate

    Please read what I said again. There are TWO different settings, Maximum Table Entries, and Maximum States.

    They are two entirely different things.

    Please let me know when you have a working firewall with more than 5 Million active states.

    400000 is generally plenty for table entries. If you really really need more, set more, but 45 million is just stupid there (unless you really need more table entries than needed to hold every /24 in the IPv4 and IPv6 internet.)

    If you have the RAM and want to set your States into the millions, do it and have fun.

    500 users is pretty much nothing. If they are exhausting millions of states you are doing something wrong. And the number of users is generally irrelevant to the number of table entries required for alias tables. (Again, two completely different things: states and table entries).



  • okkey so I put :
    Firewall maximum table Entries : 400000
    Firewall maximum States : 4909000

    that 's it ?


  • Netgate

    Depends on what your problem actually is. You like to say it "doesn't work" without providing any actual error messages, logs, etc.

    But that looks pretty reasonable for a 50GB RAM system with 500 users.



  • is that a problem, a system of 50G RAM?

    I will explain in detalis my problem, maybe you can help me: I have 1 pfsense and 2 vlans (vlan 10 and vlan 20), all is well configured and all works well. after a few days the vlan 10 does not work (I did not change anything in the configuration):

    on vlan 20: I can connect to the internet
    on vlan 10: I can not connect (the machine takes its pfsense DHCP address, I access the page of administration of the pfsense with the browser WEB but I can not ping the paserelle and I can not not connect to the internet "it's not a routing or configuration problem")

    this problem I had it a week ago (I had error messages) so I changed the "Firewall maximum State": since it worked before, I told myself that it is the table that has was fulfilled and we must increase its value

    when I increase its value, the Vlan 10 worked, yuppii I have the connection on the Vlan 10. after 2 days it is the same problem, no connection on this vlan. and now I change the value of Firewall maximum State but the problem is not solved


  • Netgate

    If you are running out of states, the System > States graph in System > Monitoring will show that history plainly.

    As I mentioned before, there WAS an issue with the Maximum Table Size being too small to fit the bogonsv6 list. This was corrected by increasing the default to 400000. That DOES NOT MEAN that every problem you have is the same thing.

    My guess is some sort of misconfiguration. Changing the firewall settings probably triggers a filter reload that fixes it if not something completely unrelated.

    Look at Status > Dashboard. How many active states do you have?

    Are you running Snort or Suricata? They can "randomly" block hosts too (but they're just doing what they are told to do.)

    And I might add, you come across as a 17-year-old kid with a huge chip on his shoulder. pfSense really does work and really does work well when configured correctly on solid layers 2 and 1 below it. You might do well to actually read the network troubleshooting documents that have already been posted and actually try to diagnose the problem you are having instead of just "blaming pfSense" and some probably completely unrelated firewall setting. It's getting harder to want to try to help you.

    The fact that you have CARP configured on these VLANs and seemingly-unsolvable dual MASTER issue, I would start by fixing that. You really can't expect solid connectivity when that is so broken.



  • I'm not accusing Pfsense
      I have a problem and I asked for your help.

    and you with your answer tell people: it's stupid .... I've never seen any helpers like you! I work with several suppliers, HP for example, when I have a problem I call the assistant, and they never answer me by: it's stupid to do that, kid of 17 years .....

    no seriously !! I think that the image of Pfsense is destroyed because of his assistant and their way of responding to their client. I really thought I bought the Pfsense material for the company but I would not do it again because I know that if I have problems with the assistants


  • Netgate

    If you would listen to suggestions it would be a lot easier to assist you.


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy