Understanding "There were error(s) loading the rules: /tmp/rules.debug:33: cannot define table pfB_PRI1_v4: Cannot allocate memory"

Stewart · Nov 8, 2021, 1:53 PM

I know the solution is to increase the table state size, but is there some way to see how much is needed and how much is in use? I have devices that have been out for months and years that are suddenly showing this and I'd like to have a better understanding. For example, one unit I installed came with a state table of 400,000 and had the error. I upped it to 800,000 and still had the error. Then it was suggested that I up it to 2,000,000. At what point am I over-allocating RAM? That's why I'd like to be able to go in and see how much is actually in use and how much is needed. Thanks.

SteveITS · Nov 8, 2021, 4:24 PM

@stewart You wrote "state table" but I think you meant "Firewall Maximum Table Entries"? That's what is used for allocating space for aliases and whatnot. Our notes are "in System/Advanced/NAT double default Firewall Maximum Table Entries (minimum 2 million)."

As for RAM usage the dashboard will show current usage. We've never had a RAM issue at any of our clients. Diagnostics/Tables will show how many are in each table.

Stewart · Nov 8, 2021, 4:29 PM

@steveits You are correct. I meant Firewall Maximum Table Entries. Memory usage is around 30% but I still get that error message because the Table size is too small. Is there a way to see how much of the Table is used? I can set it to 2,000,000 but would 1,000,000 be enough? Or is the RAM hit so small it doesn't really matter? I assume there is a good reason that the maximum size is defaulted to what it is, in this case 400,000. It seems quite the jump to raise it 5x it's default size.

SteveITS · Nov 8, 2021, 5:14 PM

@stewart I think just looking at the count in each table and adding them. I don't think it preallocates the memory (?), but in any case I don't know that any of the routers we've set up use over 1 GB for all of pfSense, or at least not much more. Of course memory usage varies with packages and how pfBlocker is set up (how many feeds, DNSBL, etc.) but unless you're getting other out of memory issues I wouldn't worry about it.

Stewart · Nov 11, 2021, 3:50 PM

@steveits OK. I went back and found most of the other units we've installed were at 2,000,000 and their RAM is OK. I guess it's not really an efficiency to worry about.