There were error(s) loading the rules: /tmp/rules.debug:19: cannot define table bogonsv6: too many elements.

DD

After upgrade from 2.5.0-DEVELOPMENT (amd64) built on Tue Aug 18 to 2.5.0.a.20200902.1850 there are error logs:

There were error(s) loading the rules: /tmp/rules.debug:19: cannot define table bogonsv6: too many elements. - The line in question reads [19]: table bogonsv6 persist file /etc/bogonsv6

vesalius

@DD Have had the same error on 2 different 2.5 installs I have. Both systems ground to a halt and ultimately quit passing LAN traffic to WAN. WebGUI was still accessible, but very slow at times. Also while slow to respond pfsense was able to look for development updates and install them if/when I could get the gui to respond.

Bumping my:
System/Advanced/Firewall & NAT/Firewall Maximum Table Entries
to 4000000 from 2000000 seemed to clear things up today, but may have been coincidental to a fix from a new developmental snapshot.

DD

@vesalius I temporarily fixed it by uncheck "Block bogon networks" option on WAN network adapter.

w0w

@DD
This is not a good idea to pass bogon networks on WAN for security reasons.
https://redmine.pfsense.org/issues/10861
Better create system tunable named net.pf.request_maxcount in System/Advanced/System Tunables and put 2000000 as value.

bimmerdriver

I'm experiencing this problem also. I got the message:

To block bogon IPv6 networks the Firewall Maximum Table Entries value in System / Advanced / Firewall must be increased at least to 400000 @ 2020-09-07 10:30:51

I had previously set this value to 400000. I cleared the setting and it initially showed the default to be 400000. However, after refreshing the display, now it says the default is 200000. So perhaps the default needs to be increased.

Update, I increased the value to 500000 and it's now reporting the following:

Filter Reload
There were error(s) loading the rules: /tmp/rules.debug:18: cannot define table bogonsv6: too many elements. - The line in question reads [18]: table <bogonsv6> persist file "/etc/bogonsv6"
@ 2020-09-07 10:43:08
There were error(s) loading the rules: /tmp/rules.debug:18: cannot define table bogonsv6: too many elements. - The line in question reads [18]: table <bogonsv6> persist file "/etc/bogonsv6"
@ 2020-09-07 10:43:21

vesalius

@bimmerdriver use the fix @w0w described in his post. A 2.5 bug is causing pfsense not to respect the value you set in the webgui so it doesn't matter what you change it too there, if I am reading the redmine link provided right.

louis2

Same problem here,

Louis

louis2

Note that after todays update I also see very serieus security messages!!

Sep 11 16:30:24 pfSense sshd[62912]: Disconnected from authenticating user root 112.85.42.229 port 38477 [preauth]
Sep 11 16:30:24 pfSense sshd[62912]: Received disconnect from 112.85.42.229 port 38477:11: [preauth]
Sep 11 16:30:24 pfSense sshguard[75466]: Attack from "112.85.42.229" on service SSH with danger 10.
Sep 11 16:30:24 pfSense sshd[62912]: Failed password for root from 112.85.42.229 port 38477 ssh2
Sep 11 16:30:24 pfSense sshguard[74138]: Attack from "112.85.42.229" on service SSH with danger 10.
Sep 11 16:30:24 pfSense sshd[62912]: Failed password for root from 112.85.42.229 port 38477 ssh2
Sep 11 16:30:23 pfSense sshguard[73227]: Attack from "112.85.42.229" on service SSH with danger 10.
Sep 11 16:30:23 pfSense sshd[62912]: Failed password for root from 112.85.42.229 port 38477 ssh2

Could be related!!

Louis

louis2

Hi,

The problem(s) described are may be related to updating. During the past two updates I got a message saying something like "update failed". However since, despite that message, everything seems to work. I did not pay further attention.

However that changed today. Issue far too serious!

So I did install today pfSense snapshot from scratch (format disk). That solved the problem (I think). No bogon warning, no security warnings in the log.

I have been thinking ..... just an Idea nothing more(!) .... that the updates do not clear the bogon table ..... just add new rules ..... that might!! be the case, perhaps! ... then ...

Louis

w0w

@louis2 said in There were error(s) loading the rules: /tmp/rules.debug:19: cannot define table bogonsv6: too many elements.:

112.85.42.229

This looks like abused IP from China. The main question is... do you have opened SSH port to the world?

louis2

@w0w

The moment I saw those messages, I realized that I had a serious security issue.

So I did decide to reinstall "immediately".

Something was terrible wrong with the system, for some unknown (upgrade) reason.

To answer your question, no I did not open the SSH-port!
So the only conclusion can be that the FW was not working correctly!

Of course they still had to guess my password etc, but never the less "far from OK".

Louis

amiah

FYI I had the same error with no internet, and had to go to INTERFACES and disable Block bogon network. I hope the next update can fix this issue.

abuttino

I have lost all LAN to WAN communication. Suggestions?

w0w

@abuttino

@w0w said in There were error(s) loading the rules: /tmp/rules.debug:19: cannot define table bogonsv6: too many elements.:

create system tunable named net.pf.request_maxcount
in System/Advanced/System Tunables and put 2000000 as value.

and REBOOT the firewall!

abuttino

@w0w Thanks!

louis2

For two reasons that is IMHO not the good solution:

At least for me a clean install solved the problem, so there seems to be a different problem
if (!!) the table is really to small, than Netgate should change the table size. So than your action is only a temporarily solution.

My advice is to save your config and to do a clean install based on the actual snapshot.

Louis

w0w

@louis2
Did you really read that?
https://redmine.pfsense.org/issues/10861
This is the clean installation from the latest ISO, nothing have been changed or imported:
VirtualBox_pfSense-244 testing bug_17_09_2020_06_29_32.png

The problem is not solved even on clean install. You will not receive this error until pf bogonsv6 table is full.

louis2

Yep, the table is to small should be at least 200000, however:

There are another problem as well !!

after a fresh install ...... the bogon tables are not loaded, automatically!! Oeps!!
and I also noticed an error "Bogons V6 file downloaded: pfctl: Invalid argument."
you can have big questions about rule tables as big as 114000 rules. I did not test, but it is probably dramatically affecting performance!!

I also wonder why this is still not fixed !!!

IPV6 is not in every regard a blessing

Louis

w0w

@louis2
If I got it right this time It's on FreeBSD 12.2-PRERELEASE side not pfSense directly. Looks like not everyone have been noticed that base system is changed

louis2

Thanx!

I checked pfSense is on 12.2 now. I think Jim should have communicated that.

Not for every one relevant, but for me and others that is important to know.

Louis