Processus pfctl and latencies

sebastienfr

Hi Everybody,

I have been using Pfsense for several months.

I am experiencing latency issues. I monitored my system and I noticed that the latency appear whith the processus

/sbin/pfctl -o basic -f /tmp/rules.debug

If I understood correctly, this processus appear when the rules load again.

My configuration :
4Core Celeron CPU J1900 1.99 Ghz and 8Go of RAM

Can i change the frequency of the rules loading ?

Thank you for your Help.

Sebastien

Gertjan

@sebastienfr said in Processus pfctl and latencies:

pfctl

Click and pick.

sebastienfr

Hello

I tried to desactivate pfctl, but the prosessus continu to load regularly.

Sébastien

Gertjan

You can't desactivate pfctl.
That would like cutting out the hart of pfSense.

It's the man firewall, 'pf' controller program.
To stop it, you would have to stop the firewall all together.

Your not using a VM ?
edit : Your using pfBlockerNG(devel) ?

sebastienfr

Thanks to take the time for your answer.

I know that i can't deactivate the pfctl definitively. I wished to test if it was this service that was causing the malfunction.

Apparently, this command (/sbin/pfctl -o basic -f /tmp/rules.debug) is not always active, but appear at regular intervals. Perhaps it's an another processus. My idea is modify the delay of the calling of this processus.

Sebastien

sebastienfr

I am not using a VM, and yes i use pfblocker, but i tried to deactivate. This is the same result.

Thank you

bmeeks

@sebastienfr said in Processus pfctl and latencies:

I am not using a VM, and yes i use pfblocker, but i tried to deactivate. This is the same result.

Thank you

Anything that causes pfctl to modify large pf tables can trigger the latency and CPU utilization issue. Two prime examples are pfBlockerNG with large IP lists; and the built-in pfSense "block bogons" feature. If you have "Block Bogons" enabled on your interfaces, that can trigger the issue when those tables are manipulated. One other thing that seems to exacerbate the issue is use of multiple cores in a virtualized pfSense installation. In that case (when running pfSense on a Hypervisor), reducing pfSense to a single core seems to help according to other posts here on the forum.

The developer team is aware of this issue and is looking for the root cause in order to effect a fix. Until then, if the stalls and latency are an issue for you, they can be mitigated by temporarily disabling processes that manipulate large address tables. The two places where most folks have success is disabling pfBlockerNG (or else greatly reduce the number and size of IP lists it maintains) and disabling the "Block Bogons" feature on the interfaces.

sebastienfr

Hello,

I found the solution.

I tried to reset my firewall. But the problem was still.

I tried to change the OS, and i installed a debian. I had lot of problems. And there was a problem to recognize the hard disk.

After several tests, I bought a new hard disk, and now the problem is solve.

In fact, I think the differents calls of the processus had to read on my faulty hard drive.

Thank you for your answers and your time

Sebastien

Gertjan

This widget :

is not a gadget ;)

( Same for NUT/UPS - a must have )

jimp

https://forum.netgate.com/post/908806