Upgrade to 2.4.5 > 2.4.4-p3 SG-3100 ipv6 bogon list issue

  • Upgrading my SG-3100 from 2.4.4-P3 to 2.4.5, I get the following issue after it boots back up when I log in for the first time:

    *Filter Reload

    There were error(s) loading the rules: /tmp/rules.debug:18: cannot define table bogonsv6: too many elements. - The line in question reads [18]: table <bogonsv6> persist file "/etc/bogonsv6"
    @ 2020-02-11 14:45:31*

    I was told to open a new thread about this. It was suggested I increase my Firewall Maximum Table Entries to several hundred thousand, I have it set to 850k and still receive this error mesage.

    This is a very basic install, no weird rules or options, or even packages installed. I have duplicated the problem twice now.

  • Rebel Alliance Developer Netgate

    Are you certain you upgraded to 2.4.5 and didn't somehow end up partially upgrading to 2.5.0?

    This looks like https://redmine.pfsense.org/issues/9356 but that sysctl oid is not present in 2.4.5.

    What do the commands following report?

    uname -a
    cat /etc/version
    pkg info -x pfsense

  • Rebel Alliance Developer Netgate

    OK, I managed to reproduce this finally on the latest snapshot.

  • OK cool. Anything you want me to try to fix it?

  • Rebel Alliance Developer Netgate

    There doesn't appear to be anything that mitigates it short of disabling bogons at the moment.

    I opened https://redmine.pfsense.org/issues/10254 with more details

  • I don't know if it's related to tens of error log lines: /tmp/rules.debug:31: cannot define table bogonsv6: Invalid argument; and
    "There were error(s) loading the rules: /tmp/rules.debug:30: cannot define table bogonsv6: Invalid argument - The line in question reads [30]: table <bogonsv6> persist file "/etc/bogonsv6"
    in latest build 2.4.5-RC Feb 13 17:39:39 EST 2020
    but that RC seems to break completely routing function and 2 of 3 WAN interfaces. I have IPv6 enabled.
    Previous build from Feb 13th was fine, but this had more updated packages.

    No-one can get out except the firewall itself. All firewall rules in LAN are showing 0/0 hits.

  • Rebel Alliance Developer Netgate

    Reboot again and you'll be OK.

    The higher net.pf.request_maxcount limit isn't getting set on the first boot with the new snapshot, but the next reboot will be fine.

    It didn't break routing, but the filter rules didn't load so you wouldn't have working NAT.

    We're still working on it, but it's better now than it was before for most (especially ARM).

  • Is this version usable again on the arm appliances then? It sounds like you have to do the upgrade and then reboot it for it to work fully.

  • Rebel Alliance Developer Netgate

    It works with large tables so long as you do the extra reboot right now. Once we put in a fix for that, it won't be necessary.

  • I can confirm this works on my sg-3100 now. You have to do the upgrade from 2.4.4 to 2.4.5, and then once it comes back up from the upgrade reboot the box one more time, and after about a minute ipv6 connectivity will work again.

Log in to reply