Warning: pfBlockerNG-devel 2.2.5_30 almost crushed my new 2.4.5 install!

Bob.Dig

I was on pfSense 2.5 Development Snapshots before. Something didn't worked as expected, don't even remember what, so I did a fresh install of pfSense 2.4.5 and dialed in all my settings manually the last days. pfSense is running as a VM in Hyper-V.
When everything was fine, I did the last thing, installed pfBlockerNG-devel 2.2.5_30. I then made all the feed-rules and as I was finished and run the update, things became critical.

The cpu (4 of 8 Ryzen 2700X cores) got utilized 100% all the time, webgui became sluggish, gateways shown offline! After some time I decided to reboot the VM. But the bootup afterwards took ages with again 100% cpu utilization.
I already saw my "work" of the last days gone... After quite some time (maybe 15 Minutes), pfSense was fully bootet, still 100% load but somehow I could disable pfBlocker. Load went to 0%. I then uninstalled pfBlocker, rebooted and now I am writing this and it is looking good so far.

Rico

https://redmine.pfsense.org/issues/10414
Have you tried only using one CPU core?

-Rico

Bob.Dig

@Rico I used it with four cores before on 2.4.4 and 2.5 and always with the latest pfBlockerNG with no problem.

Thank god, suricata exist. I thought I had no use case for it anymore... till now.

Gertjan

@Bob-Dig said in Warning: pfBlockerNG-devel 2.2.5_30 almost crushed my new 2.4.5 install!:

2.4.4 and 2.5

2.4.4 is based on FreeBSD 11.2
2.5.0 is based on FreeBSD 12.0
2.4.5 is based on FreeBSD 11.3 - and that version, using a VM and multiple core, had a lot of recent feedback.

I'm using 2.4.5 on a VM - Hyper-V Windows Pro @home, and guess what : no issues what so ever.
Because the processor I use seemed good enough to handle 'some router tasks' I assigned it one core a year ago.
Guess that was the right decision all the way ...
2.4.5 : no issues what so ever.

@Bob-Dig said in Warning: pfBlockerNG-devel 2.2.5_30 almost crushed my new 2.4.5 install!:

Thank god, suricata exist.

In what kind of network neighbourhood are you administrating pfSense ? I'm still looking for a reason to use such a service....

Bob.Dig

@Gertjan It is my Homerouter and I am hosting some stuff at home: email, teamspeak, xmpp.

With pfblocker I used almost all the feeds to be blocked on WAN.
Then I used the GEO-IP to alias permit some open ports.

No problem on 2.4.4 and 2.5.0.

Sure I could try one core only, but hardly to belief this will not trigger the problem.

Gertjan

@Bob-Dig said in Warning: pfBlockerNG-devel 2.2.5_30 almost crushed my new 2.4.5 install!:

I am hosting some stuff at home: email, teamspeak, xmpp.

Ahh. Got it.
All that is impossible for me. First of all, the IP @home is an ISP IP for me, thus totally unusable for mail receiving and sending. I'm using TS also. I thrown all these kind of services on a dedicated server (a classic Debian server - no GUI), using a hosting company.
And guess what : except for a fail2ban 'with nervous rules' : I'm not use any added protection on that server. Runs fine since 2003.

Bob.Dig

@Gertjan said in Warning: pfBlockerNG-devel 2.2.5_30 almost crushed my new 2.4.5 install!:

2.4.5 is based on FreeBSD 12.3

Mine says
2.4.5-RELEASE (amd64)
FreeBSD 11.3- STABLE but probably just a mistype.
You know what, I will try one core and report back.

Gertjan

@Bob-Dig said in Warning: pfBlockerNG-devel 2.2.5_30 almost crushed my new 2.4.5 install!:

2.4.5-RELEASE (amd64)
FreeBSD **11.3-**STABL

You're right - I edited.

Bob.Dig

@Gertjan said in [Warning: pfBlockerNG-devel 2.2.5_30 almost crushed my new 2.4.5

First of all, the IP @home is an ISP IP for me, thus totally unusable for mail receiving.

Sending is the problem with such an IP I think.

And guess what : except for a fail2ban 'with nervous rules' : I'm not use any added protection on that server. Runs fine since 2003.

Sure but where is the fun.

Gertjan

@Bob-Dig said in Warning: pfBlockerNG-devel 2.2.5_30 almost crushed my new 2.4.5 install!:

Sending is the problem

Right again - I already edited that also.
(coffee isn't working this morning ....)

Bob.Dig

@Rico said in Warning: pfBlockerNG-devel 2.2.5_30 almost crushed my new 2.4.5 install!:

https://redmine.pfsense.org/issues/10414
Have you tried only using one CPU core?

-Rico

So today I tried with one core only and the installation and updating the feeds and stuff worked good. Last time I did it, the reputation tab didn't worked at all (broken link), but back then I ignored that. This time I also raised the Memory to 8 Gigs. Bootup is still slow with high cpu loads for some limited time. I then gave that vm the four cores and first it looked good but then the problems occurred again. On next boot I had to stop the vm because of the high cpu-load. I then reduced the cores to one, but the image already was broken and pfsense wasn't able to boot anymore...
Also with one core it might be running but I saw some high cpu usage...
I somehow wonder how this became final, maybe to many testers where already on 2.5...

Gertjan

@Bob-Dig said in Warning: pfBlockerNG-devel 2.2.5_30 almost crushed my new 2.4.5 install!:

I somehow wonder how this became final, maybe

All 2.4.4-p3-RC candidates used FreeBSD 11.2.
2.4.5 uses FreeBSD 11.3 .....

Bob.Dig

@Gertjan Thanks.

Maybe one core isn't that bad. We'll see.

Looking good so far.