pfBlockerNG Log Settings - Max Lines



  • (I tried to find a similar thread, but didn't see anything).

    I'm in the process of fine tuning my pfB settings. In short, I'm wondering what the drawbacks are to increasing the max lines in the log settings. I have two pfSense HyperV VMs using HA/CARP. i5-5500K / i7-4790K, both set to 4 cores. AES-NI CPU Crypto Active and in use. Both on dedicated RAID 1 (256GB 850 Pro SSDs). Up to 32GB RAM, but currently at 16GB (may pull that back). I have noticed significant latency since implementing pfBlockerNG. It might be because I have too many feeds. I'll likely start pulling back on some once I identify which are most effective and drop the less effective ones.

    Finally, to the question. Aside from drive space, what's the drawback of increasing the log limit? As long as I have the drive space, won't it just give me more data to analyze? It won't slow down the firewall performance, will it? I currently have it set to 80,000 lines. Is that too much? Why not just change it to 100K?

    I feel like I have plenty of horse-power. I haven't noticed any decrease in my speed test, whether I'm using PIA VPN or not. Even with this strong bandwidth, I'm noticing significant delays when connecting to things like GoToMeeting, but only when pfBlockerNG is activated. It makes me think that more CPU, RAM, bandwidth, or SSD speed won't help.

    It seems like bandwidth isn't affected, but pfB creates additional latency. Is the only answer to pull back the number of feeds I activate? I don't have them all activated. Maybe 1/3 - 1/2 of the available feeds.

    Thoughts? (I just realized this is a 2nd question) Sorry.

    Thanks.


  • Moderator

    @talaverde

    I would think you issues might be that IPs/Domains are being blocked. Review the Alerts Tab for more details. You have sufficient hardware to handle pfBlockerNG.

    You can also increase the pfSense DNS Resolver Log Verbosity to 2 and review the resolver.log for additional clues to see if there are other issues.