why doesn't the "Firewall Maximum Table Entries" get set based on Ram of system

rebootnz · Feb 19, 2024, 3:32 AM

Hi all
Ive just installed PFSense Community 2.7.2-RELEASE and am still wondering why the "Firewall Maximum Table Entries" are not set based on RAM.

Ive enabled PFBlocker with GEO blocking and I keep getting errors. as in cant load table.

I know the fix is to set the "Firewall Maximum Table Entries" to match the amount of ram less a few GB. Eg for a 16gb system i set it at 14,000,000

Why in this day in age in an installer cant it just look at the system ram and set this correctly.

I have had to re set the "Firewall Maximum Table Entries" to be the RAM less a few GB. (Most of my clients are running 16+GB ram. as it is Cheap.) as well as help other people who are running PFSense by setting this.

@netgate. are you looking at this as a simple feature update for the installer.

Note: this is the same in PFSense Pluss.

SteveITS · Feb 19, 2024, 6:22 AM

@rebootnz it should be set to the amount of entries required. The advice I’d heard way back was to start at 2 million and increase as necessary.

No sense allocating RAM of it’s not needed for the person’s setup. Do they use MaxMind? For how many counties? Giant block lists or a few small ones? Etc.

rebootnz · Feb 19, 2024, 7:44 AM

@SteveITS yes they are using MaxMind. and yes they are Geoblocking every country except the country they are in.

If a System has the RAM then use it. It has no impact on the system.
as an example i run A 12 core Zeon cpu with 16GB ram with the same Geoblocking as above. and why not use all the RAM it can. The system just idles. (30 Clients behind a 5Gig Link pushing around 2TB a day throughput).

johnpoz · Feb 19, 2024, 12:13 PM

@rebootnz said in why doesn't the "Firewall Maximum Table Entries" get set based on Ram of system:

and yes they are Geoblocking every country except the country they are in.

That is wrong way to do it.. Just allow the country they are in vs trying to block the whole internet..

stephenw10 · Feb 19, 2024, 1:58 PM

Yes, blocking the world is almost always the wrong way to do it.

rebootnz · Feb 19, 2024, 10:38 PM

@stephenw10

Then how would you block everyone except Canada and Australia.
They need to have access via the internet back to their Business Apps. No they are not using VPN YET. Trying but that is going to be a long process.

Blocking every country has reduced the door rattling. by over 90%. Yes there app has 2FA so helps make it a bit more secure.

johnpoz · Feb 19, 2024, 10:46 PM

@rebootnz said in why doesn't the "Firewall Maximum Table Entries" get set based on Ram of system:

Then how would you block everyone except Canada and Australia.

By creating an alias with just Canada and AU in it.. simple enough in pfblocker.. And just allowing that, if its not allowed then its denied.. By the default deny that is on every interface..

Here I have US and Morocco in mine

I have some others in there as well - because some of those might be international.. Those are lists of IPs that the service, keep updated with what IPs they might check from.. They are not always US based, etc..

I allow Morocco currently because I have family living there currently that watch my plex..

You can then use this alias in any port forwards, or just firewall rules you create.

SteveITS · Feb 19, 2024, 10:49 PM

@johnpoz said in why doesn't the "Firewall Maximum Table Entries" get set based on Ram of system:

alias

@rebootnz if you use Alias Native pfB just creates the alias, and you can create your own rules or use it as a source for NAT rules.