Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    optimize config with GeoIP Alias

    Scheduled Pinned Locked Moved pfBlockerNG
    11 Posts 3 Posters 1.5k Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • johnpozJ Offline
      johnpoz LAYER 8 Global Moderator @sgw
      last edited by

      @sgw said in optimize config with GeoIP Alias:

      It only slows down the WebGUI etc

      why would you think that would slow down the web gui?

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

      S 1 Reply Last reply Reply Quote 0
      • S Offline
        sgw @johnpoz
        last edited by

        @johnpoz well, it's slow ;-)

        Editing NAT-rules takes a long time, load is high.
        I assume generating the IP-lists for the mouse-overs takes time or so.
        Surfing is OK, the routing and firewalling seems not to be slowed down (much ..?).

        johnpozJ 1 Reply Last reply Reply Quote 0
        • johnpozJ Offline
          johnpoz LAYER 8 Global Moderator @sgw
          last edited by johnpoz

          @sgw I have never seen such a slow down.. I can call up a table that as 147k entries and it pops..

          if I mouse over one of my aliases with over 120k entries in it - the mouse pop up is pretty much instant

          instant.jpg

          Do your aliases have millions and millions of entries?

          Those tables are not populated on the fly.. They get updated/populated on a schedule, native aliases that resolve stuff are like every 5 minutes.. A table of Ips that pfblock downloads will be updated per the schedule you setup in pfblocker..

          If you mouse over one of your aliases and it take a long time to pop up, you got something else going on. There was some issues with pfblocker consuming large amounts of cpu, but I thought that was corrected?

          https://forum.netgate.com/topic/190240/pfblockerng_devel-commit-reverse

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

          S 1 Reply Last reply Reply Quote 0
          • S Offline
            sgw @johnpoz
            last edited by sgw

            @johnpoz

            when I click Firewall - NAT it takes around 25-30 seconds to open.
            This might be longer with a cold browser cache, I am not sure.

            The mouseover shows 10k lines "only" ;-) ... unsure how to see how many lines the alias really contains.

            The admin there was complaining, he edited a lot of the NAT entries yesterday and it took him a lot of time.

            Maybe there other issues hidden.

            The alias is of type "Alias Native" and updated once a day only, if that is relevant.

            540cc221-9a97-4e79-9545-067f81caa4a2-image.png

            I might disable this restriction for some NAT-rules to test.

            That's why I thought it might be more clever to filter ONCE for GeoIP on top and not for each NAT-rule in detail.

            Or doesn't that make a difference in the overall load?

            Remember: netgate-2100

            ... right now 22% of memory used, that's very ok. and 50-70% CPU.

            That box might be too small anyway, there are ~20 ovpn-clients also connected all day long (I should mention this, sry). We consider upgrading hardware anyway for even more ovpn-connections (while getting rid of those legacy port-fwds).

            EDIT: applied the patch from https://forum.netgate.com/post/1187377 now, checking things. thanks so far!

            NogBadTheBadN johnpozJ 2 Replies Last reply Reply Quote 0
            • NogBadTheBadN Offline
              NogBadTheBad @sgw
              last edited by

              @sgw There is an option in System -> General Setup to disable Alias Popups

              Andy

              1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

              S 1 Reply Last reply Reply Quote 0
              • S Offline
                sgw @NogBadTheBad
                last edited by

                @NogBadTheBad this helps a lot, thanks!

                applied the patch and rebuilt the geoip lists as mentioned also

                looks better now

                1 Reply Last reply Reply Quote 0
                • johnpozJ Offline
                  johnpoz LAYER 8 Global Moderator @sgw
                  last edited by johnpoz

                  @sgw said in optimize config with GeoIP Alias:

                  and 50-70% CPU.

                  That seems high for the box doing nothing but routing and firewalling.. How many states do you have currently, how much traffic is being routed?

                  But yeah if your cpu is running at 50 some % - interaction with the gui in any form might be a little bogged down.

                  Can you post up your cpu monitoring graph.. Example here is mine over 2 days, not showing the interrupts and processes so can see cpu

                  graph.jpg

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                  S 1 Reply Last reply Reply Quote 0
                  • S Offline
                    sgw @johnpoz
                    last edited by

                    @johnpoz

                    59347156-7be5-44cd-84d7-f66166a8d006-image.png

                    johnpozJ 1 Reply Last reply Reply Quote 0
                    • johnpozJ Offline
                      johnpoz LAYER 8 Global Moderator @sgw
                      last edited by johnpoz

                      @sgw well that doesn't seem all that crazy.. But you do have something going on for sure if takes you 20-30 seconds to call up a rule.. Does that delay happen when just a normal rule or nat without any aliases in it?

                      If I go to edit this port forward

                      edit.jpg

                      Its pretty much instant.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                      S 1 Reply Last reply Reply Quote 0
                      • S Offline
                        sgw @johnpoz
                        last edited by sgw

                        @johnpoz I get back here tmrw ... it's late already in my timezone.
                        Thanks so far!

                        edit: currently sick since monday ... I'll get back here asap

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.