File Download/Speed Test Locks Up pfSense

Grunt0307

Ive run into an issue where if I download a file large enough to take advantage of my full internet connection, 400MBps down, or run a speedtest, my SG-5100 locks up and I have to perform a hard reset. I'm running pfBlockerNG and Suricata and have upgraded the RAM to 16GB. If I disable pfBlockerNG, the issue goes away.

Is there a way I can tweak pfBlockerNG to improve performance or resolve this issue?

Grunt0307

I assume the below will be useful, it's the summary information from my last full update:

 69724 total
   40061 /var/db/pfblockerng/deny/Alienvault_v4.txt
   14250 /var/db/pfblockerng/deny/CINS_army_v4.txt
    6181 /var/db/pfblockerng/deny/BDS_TOR_v4.txt
    5174 /var/db/pfblockerng/deny/DNSBLIP_v4.txt
    1465 /var/db/pfblockerng/deny/ET_Comp_v4.txt
     847 /var/db/pfblockerng/deny/ET_Block_v4.txt
     558 /var/db/pfblockerng/deny/ISC_1000_30_v4.txt
     441 /var/db/pfblockerng/deny/Abuse_Feodo_C2_v4.txt
     332 /var/db/pfblockerng/deny/Abuse_IPBL_v4.txt
     134 /var/db/pfblockerng/deny/BBC_C2_v4.txt
     107 /var/db/pfblockerng/deny/Abuse_Zeus_v4.txt
      96 /var/db/pfblockerng/deny/Spamhaus_eDrop_v4.txt
      72 /var/db/pfblockerng/deny/Abuse_SSLBL_v4.txt
       5 /var/db/pfblockerng/deny/ISC_Block_v4.txt
       1 /var/db/pfblockerng/deny/Spamhaus_Drop_v4.txt

====================[ Empty Lists w/127.1.7.7 ]==================

Spamhaus_Drop_v4.txt

===[ DNSBL Domain/IP Counts ] ===================================

  577637 total
  169469 /var/db/pfblockerng/dnsbl/hpHosts_EMD.txt
  117809 /var/db/pfblockerng/dnsbl/hpHosts_FSA.txt
  115592 /var/db/pfblockerng/dnsbl/hpHosts_PSH.txt
   31567 /var/db/pfblockerng/dnsbl/AntiSocial_BD.txt
   25522 /var/db/pfblockerng/dnsbl/MDS.txt
   17979 /var/db/pfblockerng/dnsbl/hpHosts_PUP.txt
   17508 /var/db/pfblockerng/dnsbl/Shallalist_spyware.txt
    8709 /var/db/pfblockerng/dnsbl/Shallalist_adv.txt
    8376 /var/db/pfblockerng/dnsbl/hpHosts_PHA.txt
    8306 /var/db/pfblockerng/dnsbl/hpHosts_ATS.txt
    7548 /var/db/pfblockerng/dnsbl/Abuse_URLBL.txt
    6456 /var/db/pfblockerng/dnsbl/Spam404.txt
    6054 /var/db/pfblockerng/dnsbl/SWC.txt
    4708 /var/db/pfblockerng/dnsbl/Cameleon.txt
    4410 /var/db/pfblockerng/dnsbl/Shallalist_adv_v4.ip
    3916 /var/db/pfblockerng/dnsbl/CoinBlocker_All.txt
    2532 /var/db/pfblockerng/dnsbl/SFS_Toxic_BD.txt
    2523 /var/db/pfblockerng/dnsbl/MDS_Immortal.txt
    2377 /var/db/pfblockerng/dnsbl/EasyPrivacy.txt
    1983 /var/db/pfblockerng/dnsbl/hpHosts_MMT.txt
    1900 /var/db/pfblockerng/dnsbl/Abuse_DOMBL.txt
    1707 /var/db/pfblockerng/dnsbl/SBL_ADs.txt
    1505 /var/db/pfblockerng/dnsbl/D_Me_ADs.txt
    1335 /var/db/pfblockerng/dnsbl/Shallalist_spyware_v4.ip
    1048 /var/db/pfblockerng/dnsbl/hpHosts_EXP.txt
    1034 /var/db/pfblockerng/dnsbl/hpHosts_WRZ.txt
     999 /var/db/pfblockerng/dnsbl/MDL.txt
     941 /var/db/pfblockerng/dnsbl/EasyList.txt
     894 /var/db/pfblockerng/dnsbl/Shallalist_tracker.txt
     726 /var/db/pfblockerng/dnsbl/Yoyo.txt
     698 /var/db/pfblockerng/dnsbl/BBC_DC2.txt
     463 /var/db/pfblockerng/dnsbl/MVPS.txt
     305 /var/db/pfblockerng/dnsbl/hpHosts_HFS.txt
     268 /var/db/pfblockerng/dnsbl/hpHosts_GRM.txt
     165 /var/db/pfblockerng/dnsbl/hpHosts_HJK.txt
      96 /var/db/pfblockerng/dnsbl/EasyList_Adware.txt
      61 /var/db/pfblockerng/dnsbl/Adaway.txt
      58 /var/db/pfblockerng/dnsbl/Abuse_URLBL_v4.ip
      48 /var/db/pfblockerng/dnsbl/Abuse_Zeus_BD.txt
      19 /var/db/pfblockerng/dnsbl/D_Me_Tracking.txt
      11 /var/db/pfblockerng/dnsbl/Shallalist_tracker_v4.ip
       5 /var/db/pfblockerng/dnsbl/EasyList_v4.ip
       5 /var/db/pfblockerng/dnsbl/Abuse_CW_C2.txt
       1 /var/db/pfblockerng/dnsbl/EasyPrivacy_v4.ip
       1 /var/db/pfblockerng/dnsbl/D_Me_Malv.txt
       0 /var/db/pfblockerng/dnsbl/ISC_SDH.txt
       0 /var/db/pfblockerng/dnsbl/D_Me_Malw.txt
       0 /var/db/pfblockerng/dnsbl/Abuse_TC_C2.txt

====================[ IPv4/6 Last Updated List Summary ]==============

Jun 18	07:01	Abuse_Zeus_v4
Jun 21	12:25	Spamhaus_Drop_v4
Jun 23	14:38	Spamhaus_eDrop_v4
Jun 23	23:29	ET_Block_v4
Jun 23	23:29	ET_Comp_v4
Jun 24	13:02	ISC_1000_30_v4
Jun 25	00:06	DNSBLIP_v4
Jun 25	14:48	CINS_army_v4
Jun 25	15:12	BBC_C2_v4
Jun 25	15:46	Alienvault_v4
Jun 25	15:55	Abuse_IPBL_v4
Jun 25	16:00	Abuse_Feodo_C2_v4
Jun 25	16:00	Abuse_SSLBL_v4
Jun 25	16:00	BDS_TOR_v4
Jun 25	16:00	ISC_Block_v4

====================[ DNSBL Last Updated List Summary ]==============

Jul 31	2015	D_Me_Tracking
Mar 9	2016	D_Me_ADs
Jan 19	2018	hpHosts_HFS
Jan 20	2018	Adaway
Mar 18	2018	Cameleon
May 25	2018	hpHosts_EXP
Nov 1	2018	hpHosts_HJK
Nov 15	2018	hpHosts_GRM
Nov 29	2018	MDS_Immortal
Dec 30	03:10	hpHosts_MMT
Feb 21	11:45	MDL
May 24	17:05	hpHosts_WRZ
May 31	22:27	Spam404
Jun 5	04:11	Yoyo
Jun 8	12:01	UT1_ddos
Jun 8	12:01	UT1_malware
Jun 8	12:01	UT1_phishing
Jun 8	12:01	UT1_publicite
Jun 8	12:01	UT1_warez
Jun 11	14:05	MVPS
Jun 12	07:18	hpHosts_ATS
Jun 12	09:23	hpHosts_EMD
Jun 13	04:32	CoinBlocker_All
Jun 15	00:01	Abuse_Zeus_BD
Jun 18	17:08	MDS
Jun 20	17:34	hpHosts_PHA
Jun 21	00:47	SWC
Jun 21	16:43	hpHosts_PUP
Jun 24	07:41	SBL_ADs
Jun 24	16:53	hpHosts_FSA
Jun 24	17:14	hpHosts_PSH
Jun 24	19:01	Shallalist_adv
Jun 24	19:01	Shallalist_spyware
Jun 24	19:01	Shallalist_tracker
Jun 24	23:04	ISC_SDH
Jun 24	23:12	BBC_DC2
Jun 24	23:17	AntiSocial_BD
Jun 24	23:21	D_Me_Malw
Jun 24	23:21	D_Me_Malv
Jun 24	23:41	EasyPrivacy
Jun 24	23:50	EasyList_Adware
Jun 24	23:50	EasyList
Jun 24	23:55	Abuse_DOMBL
Jun 24	23:55	Abuse_CW_C2
Jun 24	23:59	SFS_Toxic_BD
Jun 25	00:00	Abuse_URLBL
Jun 25	00:00	Abuse_TC_C2
===============================================================

Database Sanity check [  PASSED  ]
------------------------
Masterfile/Deny folder uniq check
Deny folder/Masterfile uniq check

Sync check (Pass=No IPs reported)
----------

Alias table IP Counts
-----------------------------
   69724 total
   40061 /var/db/aliastables/pfB_PRI2_v4.txt
   18308 /var/db/aliastables/pfB_PRI1_v4.txt
    6181 /var/db/aliastables/pfB_TOR_v4.txt
    5174 /var/db/aliastables/pfB_DNSBLIP_v4.txt

pfSense Table Stats
-------------------
table-entries hard limit   400000
Table Usage Count         182125

 UPDATE PROCESS ENDED [ 06/25/19 16:35:41 ]

provels

I don't run Suricata but I do run pfBlockerNG on a teeny VM with only 1.5GB RAM and can max my 300 Mbps connection. I don't know what your problem is, but could disk space be an issue? Lots of log files?

Grunt0307

Logs are generated, but circular logging is enabled and they're shipped off to a separate log ingest application. CPU seems fine, I've watched the dashboard CPU monitor and the highest I've seen it get is 65% during these tests.

BTW, what's with the autocorrect on these forums...what i am typing doesn't match what is being posted.

provels

@Grunt0307 Assuming your running the latest release ver of pfSense, 2.4.4.p3? Do you run the devel ver of pfBlockerNG or release? I run the devel ver and it was cake to setup since it comes with some preselected lists. Have you maybe tried testing the PS for voltage and memtest-ing the memory in another box? Maybe you can boot memtest from a USB (don't know if the SG has video out). Tried with Blocker enabled and Suricata disabled?

Grunt0307

Yes, running the latest version 2.4.4.p3-devel. I haven't tested either of those things, was hoping there was a crash log or something somewhere within the OS.

provels

@Grunt0307 Might find something in /var/log/crash

Grunt0307

I guess I should have tested more thoroughly. I have pfBlockerNG and Suricata running on it. If I disable either of these services, then the device doesn't lock up...though with just Suricata, it struggles to fully saturate a 400Mb pipe.