Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Technically feasible to create massive alias block lists?

    Scheduled Pinned Locked Moved Firewalling
    3 Posts 2 Posters 464 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      Luca1
      last edited by

      Hi guys,

      This is a technical question only. I'm trying to determine if pfsense and my hardware (Netgate XG-7100 running latest OS) is capable of doing this without overwhelming the little router.

      I'm creating massive block lists that cover several countries that we do not do any business with but which are constantly attacking our resources.

      The block lists (created via Firewall => Alias => Import) is done with about 122,000 blocks of IPs (ex: /12, /22, etc) covering approximately 655 million IPs from the CN/RU and Asian regions.

      I understand I can accomplish this with pfblocker and other modules but I would like to know if its technically feasible and OK (from a technical standpoint) to block this many IPs or if it will stress the router due to the amount of checks it will have to perform when filtering traffic.

      Thank you,
      Luc

      S 1 Reply Last reply Reply Quote 0
      • S
        SteveITS Galactic Empire @Luca1
        last edited by

        It should be fine. Our office router with a bunch of GeoIP lists and Suricata is using about 730 MB RAM.

        pfBlocker recommends changing the System/Advanced/Firewall & NAT/Firewall Maximum Table Entries entry to a minimum of 2 million. You can see how big a table is in Diagnostics/Tables. (the US IPv4 list is 105800 entries)

        Depending on the setup/usage, it may be more efficient to allow desired IPs, than to "block the world."

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        1 Reply Last reply Reply Quote 1
        • L
          Luca1
          last edited by

          Great suggestion!

          Thank you. Ticket resolved.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.