File Download/Speed Test Locks Up pfSense



  • Ive run into an issue where if I download a file large enough to take advantage of my full internet connection, 400MBps down, or run a speedtest, my SG-5100 locks up and I have to perform a hard reset. I'm running pfBlockerNG and Suricata and have upgraded the RAM to 16GB. If I disable pfBlockerNG, the issue goes away.

    Is there a way I can tweak pfBlockerNG to improve performance or resolve this issue?



  • I assume the below will be useful, it's the summary information from my last full update:

     69724 total
       40061 /var/db/pfblockerng/deny/Alienvault_v4.txt
       14250 /var/db/pfblockerng/deny/CINS_army_v4.txt
        6181 /var/db/pfblockerng/deny/BDS_TOR_v4.txt
        5174 /var/db/pfblockerng/deny/DNSBLIP_v4.txt
        1465 /var/db/pfblockerng/deny/ET_Comp_v4.txt
         847 /var/db/pfblockerng/deny/ET_Block_v4.txt
         558 /var/db/pfblockerng/deny/ISC_1000_30_v4.txt
         441 /var/db/pfblockerng/deny/Abuse_Feodo_C2_v4.txt
         332 /var/db/pfblockerng/deny/Abuse_IPBL_v4.txt
         134 /var/db/pfblockerng/deny/BBC_C2_v4.txt
         107 /var/db/pfblockerng/deny/Abuse_Zeus_v4.txt
          96 /var/db/pfblockerng/deny/Spamhaus_eDrop_v4.txt
          72 /var/db/pfblockerng/deny/Abuse_SSLBL_v4.txt
           5 /var/db/pfblockerng/deny/ISC_Block_v4.txt
           1 /var/db/pfblockerng/deny/Spamhaus_Drop_v4.txt
    
    ====================[ Empty Lists w/127.1.7.7 ]==================
    
    Spamhaus_Drop_v4.txt
    
    ===[ DNSBL Domain/IP Counts ] ===================================
    
      577637 total
      169469 /var/db/pfblockerng/dnsbl/hpHosts_EMD.txt
      117809 /var/db/pfblockerng/dnsbl/hpHosts_FSA.txt
      115592 /var/db/pfblockerng/dnsbl/hpHosts_PSH.txt
       31567 /var/db/pfblockerng/dnsbl/AntiSocial_BD.txt
       25522 /var/db/pfblockerng/dnsbl/MDS.txt
       17979 /var/db/pfblockerng/dnsbl/hpHosts_PUP.txt
       17508 /var/db/pfblockerng/dnsbl/Shallalist_spyware.txt
        8709 /var/db/pfblockerng/dnsbl/Shallalist_adv.txt
        8376 /var/db/pfblockerng/dnsbl/hpHosts_PHA.txt
        8306 /var/db/pfblockerng/dnsbl/hpHosts_ATS.txt
        7548 /var/db/pfblockerng/dnsbl/Abuse_URLBL.txt
        6456 /var/db/pfblockerng/dnsbl/Spam404.txt
        6054 /var/db/pfblockerng/dnsbl/SWC.txt
        4708 /var/db/pfblockerng/dnsbl/Cameleon.txt
        4410 /var/db/pfblockerng/dnsbl/Shallalist_adv_v4.ip
        3916 /var/db/pfblockerng/dnsbl/CoinBlocker_All.txt
        2532 /var/db/pfblockerng/dnsbl/SFS_Toxic_BD.txt
        2523 /var/db/pfblockerng/dnsbl/MDS_Immortal.txt
        2377 /var/db/pfblockerng/dnsbl/EasyPrivacy.txt
        1983 /var/db/pfblockerng/dnsbl/hpHosts_MMT.txt
        1900 /var/db/pfblockerng/dnsbl/Abuse_DOMBL.txt
        1707 /var/db/pfblockerng/dnsbl/SBL_ADs.txt
        1505 /var/db/pfblockerng/dnsbl/D_Me_ADs.txt
        1335 /var/db/pfblockerng/dnsbl/Shallalist_spyware_v4.ip
        1048 /var/db/pfblockerng/dnsbl/hpHosts_EXP.txt
        1034 /var/db/pfblockerng/dnsbl/hpHosts_WRZ.txt
         999 /var/db/pfblockerng/dnsbl/MDL.txt
         941 /var/db/pfblockerng/dnsbl/EasyList.txt
         894 /var/db/pfblockerng/dnsbl/Shallalist_tracker.txt
         726 /var/db/pfblockerng/dnsbl/Yoyo.txt
         698 /var/db/pfblockerng/dnsbl/BBC_DC2.txt
         463 /var/db/pfblockerng/dnsbl/MVPS.txt
         305 /var/db/pfblockerng/dnsbl/hpHosts_HFS.txt
         268 /var/db/pfblockerng/dnsbl/hpHosts_GRM.txt
         165 /var/db/pfblockerng/dnsbl/hpHosts_HJK.txt
          96 /var/db/pfblockerng/dnsbl/EasyList_Adware.txt
          61 /var/db/pfblockerng/dnsbl/Adaway.txt
          58 /var/db/pfblockerng/dnsbl/Abuse_URLBL_v4.ip
          48 /var/db/pfblockerng/dnsbl/Abuse_Zeus_BD.txt
          19 /var/db/pfblockerng/dnsbl/D_Me_Tracking.txt
          11 /var/db/pfblockerng/dnsbl/Shallalist_tracker_v4.ip
           5 /var/db/pfblockerng/dnsbl/EasyList_v4.ip
           5 /var/db/pfblockerng/dnsbl/Abuse_CW_C2.txt
           1 /var/db/pfblockerng/dnsbl/EasyPrivacy_v4.ip
           1 /var/db/pfblockerng/dnsbl/D_Me_Malv.txt
           0 /var/db/pfblockerng/dnsbl/ISC_SDH.txt
           0 /var/db/pfblockerng/dnsbl/D_Me_Malw.txt
           0 /var/db/pfblockerng/dnsbl/Abuse_TC_C2.txt
    
    ====================[ IPv4/6 Last Updated List Summary ]==============
    
    Jun 18	07:01	Abuse_Zeus_v4
    Jun 21	12:25	Spamhaus_Drop_v4
    Jun 23	14:38	Spamhaus_eDrop_v4
    Jun 23	23:29	ET_Block_v4
    Jun 23	23:29	ET_Comp_v4
    Jun 24	13:02	ISC_1000_30_v4
    Jun 25	00:06	DNSBLIP_v4
    Jun 25	14:48	CINS_army_v4
    Jun 25	15:12	BBC_C2_v4
    Jun 25	15:46	Alienvault_v4
    Jun 25	15:55	Abuse_IPBL_v4
    Jun 25	16:00	Abuse_Feodo_C2_v4
    Jun 25	16:00	Abuse_SSLBL_v4
    Jun 25	16:00	BDS_TOR_v4
    Jun 25	16:00	ISC_Block_v4
    
    ====================[ DNSBL Last Updated List Summary ]==============
    
    Jul 31	2015	D_Me_Tracking
    Mar 9	2016	D_Me_ADs
    Jan 19	2018	hpHosts_HFS
    Jan 20	2018	Adaway
    Mar 18	2018	Cameleon
    May 25	2018	hpHosts_EXP
    Nov 1	2018	hpHosts_HJK
    Nov 15	2018	hpHosts_GRM
    Nov 29	2018	MDS_Immortal
    Dec 30	03:10	hpHosts_MMT
    Feb 21	11:45	MDL
    May 24	17:05	hpHosts_WRZ
    May 31	22:27	Spam404
    Jun 5	04:11	Yoyo
    Jun 8	12:01	UT1_ddos
    Jun 8	12:01	UT1_malware
    Jun 8	12:01	UT1_phishing
    Jun 8	12:01	UT1_publicite
    Jun 8	12:01	UT1_warez
    Jun 11	14:05	MVPS
    Jun 12	07:18	hpHosts_ATS
    Jun 12	09:23	hpHosts_EMD
    Jun 13	04:32	CoinBlocker_All
    Jun 15	00:01	Abuse_Zeus_BD
    Jun 18	17:08	MDS
    Jun 20	17:34	hpHosts_PHA
    Jun 21	00:47	SWC
    Jun 21	16:43	hpHosts_PUP
    Jun 24	07:41	SBL_ADs
    Jun 24	16:53	hpHosts_FSA
    Jun 24	17:14	hpHosts_PSH
    Jun 24	19:01	Shallalist_adv
    Jun 24	19:01	Shallalist_spyware
    Jun 24	19:01	Shallalist_tracker
    Jun 24	23:04	ISC_SDH
    Jun 24	23:12	BBC_DC2
    Jun 24	23:17	AntiSocial_BD
    Jun 24	23:21	D_Me_Malw
    Jun 24	23:21	D_Me_Malv
    Jun 24	23:41	EasyPrivacy
    Jun 24	23:50	EasyList_Adware
    Jun 24	23:50	EasyList
    Jun 24	23:55	Abuse_DOMBL
    Jun 24	23:55	Abuse_CW_C2
    Jun 24	23:59	SFS_Toxic_BD
    Jun 25	00:00	Abuse_URLBL
    Jun 25	00:00	Abuse_TC_C2
    ===============================================================
    
    Database Sanity check [  PASSED  ]
    ------------------------
    Masterfile/Deny folder uniq check
    Deny folder/Masterfile uniq check
    
    Sync check (Pass=No IPs reported)
    ----------
    
    Alias table IP Counts
    -----------------------------
       69724 total
       40061 /var/db/aliastables/pfB_PRI2_v4.txt
       18308 /var/db/aliastables/pfB_PRI1_v4.txt
        6181 /var/db/aliastables/pfB_TOR_v4.txt
        5174 /var/db/aliastables/pfB_DNSBLIP_v4.txt
    
    pfSense Table Stats
    -------------------
    table-entries hard limit   400000
    Table Usage Count         182125
    
     UPDATE PROCESS ENDED [ 06/25/19 16:35:41 ]


  • I don't run Suricata but I do run pfBlockerNG on a teeny VM with only 1.5GB RAM and can max my 300 Mbps connection. I don't know what your problem is, but could disk space be an issue? Lots of log files?



  • Logs are generated, but circular logging is enabled and they're shipped off to a separate log ingest application. CPU seems fine, I've watched the dashboard CPU monitor and the highest I've seen it get is 65% during these tests.

    BTW, what's with the autocorrect on these forums...what i am typing doesn't match what is being posted.



  • @Grunt0307 Assuming your running the latest release ver of pfSense, 2.4.4.p3? Do you run the devel ver of pfBlockerNG or release? I run the devel ver and it was cake to setup since it comes with some preselected lists. Have you maybe tried testing the PS for voltage and memtest-ing the memory in another box? Maybe you can boot memtest from a USB (don't know if the SG has video out). Tried with Blocker enabled and Suricata disabled?



  • Yes, running the latest version 2.4.4.p3-devel. I haven't tested either of those things, was hoping there was a crash log or something somewhere within the OS.



  • @Grunt0307 Might find something in /var/log/crash



  • I guess I should have tested more thoroughly. I have pfBlockerNG and Suricata running on it. If I disable either of these services, then the device doesn't lock up...though with just Suricata, it struggles to fully saturate a 400Mb pipe.


Log in to reply