PfBlockerNG high CPU
I know I'm a bit late to the party, but I had a similar issue. I'm posting this to document the cause and the solution.
In my case, I correlated the high CPU load to an unusually high amount of LAN traffic. I isolated it to my Windows-10 desktop machine. Further isolation using the Windows 'Resource Monitor' app identified the activity on the LAN causing the high CPU load; it was Malwarebytes attempting to send its telemetry back to the mothership. It was doggedly persistent. Once I allowed the traffic, all was back to normal. Unfortunately, the clever 404 PHP solution in post 75 didn't work.
@Spacecase I can confirm the issue, I had one machine that was trying to reach out to MalwareBytes telemetry and killing the CPU on my pfSense box.
Once I disabled telemetry, issue resolved. I turned it on again and saw the issue, turned it off again and problem gone.
High CPU attributed to pfBlockerNG.
Issue was traced to a single user with Malwarebytes by examining the pfBlockerNG DNSBL.LOG
Put ".malwarebytes.com" in the DNSBL Whitelist.
CPU returned to its usual value of about 5% (J1900)
from 33% (one core almost fully used)
provels last edited by
Worked for me, thank you!
Thanks everyone for the helpful post.
I wanted to share my story here for the next person from the future that finds it.
This process was previously taking 80% of the CPU, without ever letting up:
78554 root 20 0 9016K 5576K kqread 0 0:02 0.78% /usr/local/sbin/lighttpd_pfb -f /var/unbound/pfb_dnsbl_lighty.conf
I was concerned because that kept the temps on my SG-3100 higher than I was comfortable with.
The key insight for me was that
lighttpd_pfbis probably pfBlocker's web server that sends out the "blocked" web page, so something on my network must be spamming it.
A device on my local network occasionally tries to phone home to
some.service.com(that's the fake FQDN I'll use). It doesn't do this all the time, but when the attempt fails due to DNSBL, it re-tries repeatedly, causing the CPU spike.
I whitelisted the domain in DNSBL, similar to what others have done. However, I'm not simply giving in to a app's persistent whining to reach a service that I'd prefer it didn't. So, I created a host alias for
some.service.comand blocked it in the firewall.
Now the DNS queries go through, and then the request is rejected. pfBlocker's web server is not needed for this, so the CPU load is back to normal.
Just create a new DNSBL Group, and add that domain to the custom list, with Logging set to disabled, and Priority as Primary. Force Reload to apply.
The new Unbound Python mode is better situated to handle this condition.
@bbcan177 AWESOME tip to create a new dnsbl group. Amazon devices were constantly calling api.amplitude.com. Followed your instructions and pfsense down to <10% cpu and <.5 load. THANK YOU!
@bbcan177 An awesome tip, thanks! I wrote my previous post after I first solved the issue and was ready to shelve it for awhile, but I just revisited it and did what you said. More or less the same behavior, but it's much easier!