Warning: pfBlockerNG-devel 2.2.5_30 almost crushed my new 2.4.5 install!
-
I was on pfSense 2.5 Development Snapshots before. Something didn't worked as expected, don't even remember what, so I did a fresh install of pfSense 2.4.5 and dialed in all my settings manually the last days. pfSense is running as a VM in Hyper-V.
When everything was fine, I did the last thing, installed pfBlockerNG-devel 2.2.5_30. I then made all the feed-rules and as I was finished and run the update, things became critical.The cpu (4 of 8 Ryzen 2700X cores) got utilized 100% all the time, webgui became sluggish, gateways shown offline! After some time I decided to reboot the VM. But the bootup afterwards took ages with again 100% cpu utilization.
I already saw my "work" of the last days gone... After quite some time (maybe 15 Minutes), pfSense was fully bootet, still 100% load but somehow I could disable pfBlocker. Load went to 0%. I then uninstalled pfBlocker, rebooted and now I am writing this and it is looking good so far.
-
https://redmine.pfsense.org/issues/10414
Have you tried only using one CPU core?-Rico
2x Netgate XG-7100 | 11x Netgate SG-5100 | 6x Netgate SG-3100 | 2x Netgate SG-1100
-
@Rico I used it with four cores before on 2.4.4 and 2.5 and always with the latest pfBlockerNG with no problem.
Thank god, suricata exist. I thought I had no use case for it anymore... till now.
-
@Bob-Dig said in Warning: pfBlockerNG-devel 2.2.5_30 almost crushed my new 2.4.5 install!:
2.4.4 and 2.5
2.4.4 is based on FreeBSD 11.2
2.5.0 is based on FreeBSD 12.0
2.4.5 is based on FreeBSD 11.3 - and that version, using a VM and multiple core, had a lot of recent feedback.I'm using 2.4.5 on a VM - Hyper-V Windows Pro @home, and guess what : no issues what so ever.
Because the processor I use seemed good enough to handle 'some router tasks' I assigned it one core a year ago.
Guess that was the right decision all the way ...
2.4.5 : no issues what so ever.@Bob-Dig said in Warning: pfBlockerNG-devel 2.2.5_30 almost crushed my new 2.4.5 install!:
Thank god, suricata exist.
In what kind of network neighbourhood are you administrating pfSense ? I'm still looking for a reason to use such a service....
No "help me" PM's please. Use the forum, the community will thank you.
Edit : and where are the logs ?? -
@Gertjan It is my Homerouter and I am hosting some stuff at home: email, teamspeak, xmpp.
With pfblocker I used almost all the feeds to be blocked on WAN.
Then I used the GEO-IP to alias permit some open ports.No problem on 2.4.4 and 2.5.0.
Sure I could try one core only, but hardly to belief this will not trigger the problem.
-
@Bob-Dig said in Warning: pfBlockerNG-devel 2.2.5_30 almost crushed my new 2.4.5 install!:
I am hosting some stuff at home: email, teamspeak, xmpp.
Ahh. Got it.
All that is impossible for me. First of all, the IP @home is an ISP IP for me, thus totally unusable for mail receiving and sending. I'm using TS also. I thrown all these kind of services on a dedicated server (a classic Debian server - no GUI), using a hosting company.
And guess what : except for a fail2ban 'with nervous rules' : I'm not use any added protection on that server. Runs fine since 2003.No "help me" PM's please. Use the forum, the community will thank you.
Edit : and where are the logs ?? -
@Gertjan said in Warning: pfBlockerNG-devel 2.2.5_30 almost crushed my new 2.4.5 install!:
2.4.5 is based on FreeBSD 12.3
Mine says
2.4.5-RELEASE (amd64)
FreeBSD 11.3- STABLE but probably just a mistype.
You know what, I will try one core and report back. -
@Bob-Dig said in Warning: pfBlockerNG-devel 2.2.5_30 almost crushed my new 2.4.5 install!:
2.4.5-RELEASE (amd64)
FreeBSD **11.3-**STABLYou're right - I edited.
-
@Gertjan said in [Warning: pfBlockerNG-devel 2.2.5_30 almost crushed my new 2.4.5
First of all, the IP @home is an ISP IP for me, thus totally unusable for mail receiving.
Sending is the problem with such an IP I think.
And guess what : except for a fail2ban 'with nervous rules' : I'm not use any added protection on that server. Runs fine since 2003.
Sure but where is the fun.
-
@Bob-Dig said in Warning: pfBlockerNG-devel 2.2.5_30 almost crushed my new 2.4.5 install!:
Sending is the problem
Right again - I already edited that also.
(coffee isn't working this morning ....) -
@Rico said in Warning: pfBlockerNG-devel 2.2.5_30 almost crushed my new 2.4.5 install!:
https://redmine.pfsense.org/issues/10414
Have you tried only using one CPU core?-Rico
So today I tried with one core only and the installation and updating the feeds and stuff worked good. Last time I did it, the reputation tab didn't worked at all (broken link), but back then I ignored that. This time I also raised the Memory to 8 Gigs. Bootup is still slow with high cpu loads for some limited time. I then gave that vm the four cores and first it looked good but then the problems occurred again. On next boot I had to stop the vm because of the high cpu-load. I then reduced the cores to one, but the image already was broken and pfsense wasn't able to boot anymore...
Also with one core it might be running but I saw some high cpu usage...
I somehow wonder how this became final, maybe to many testers where already on 2.5... -
@Bob-Dig said in Warning: pfBlockerNG-devel 2.2.5_30 almost crushed my new 2.4.5 install!:
I somehow wonder how this became final, maybe
All 2.4.4-p3-RC candidates used FreeBSD 11.2.
2.4.5 uses FreeBSD 11.3 ..... -
