swap usage shows 100%

posix

I updated the graph

Screenshot 2025-03-07 at 3.49.07 PM.png

posix

Don't know if this helps since it was mentioned about disk space:

/root: df -h
Filesystem                     Size    Used   Avail Capacity  Mounted on
/dev/ufsid/61bf5ededf06b426    227G     70G    138G    34%    /
devfs                          1.0K      0B    1.0K     0%    /dev
tmpfs                          4.0M    204K    3.8M     5%    /var/run
/lib                           227G     70G    138G    34%    /var/unbound/lib
devfs                          1.0K      0B    1.0K     0%    /var/unbound/dev
/var/log/pfblockerng           227G     70G    138G    34%    /var/unbound/var/log/pfblockerng
/usr/local/share/GeoIP         227G     70G    138G    34%    /var/unbound/usr/local/share/GeoIP
/usr/local/bin                 227G     70G    138G    34%    /var/unbound/usr/local/bin
/usr/local/lib                 227G     70G    138G    34%    /var/unbound/usr/local/lib
devfs                          1.0K      0B    1.0K     0%    /var/dhcpd/dev

Gertjan

Just checking :

@posix said in swap usage shows 100%:

/var/log/pfblockerng 227G 70G 138G 34% /var/unbound/var/log/pfblockerng

I use the default pfBlockerng log file 'size' setup :

and right now that about 110 Mbytes for me:

You : really 70 Gbytes ?

pfBlockerng use these files to generate these pages on demand :

If your files are that big, it would take ages to do that .... nginx/PHP will probably time out.

posix

This post is deleted!

posix

@Gertjan

Edit I see the pfblockerlogs increasing:

Thanks for the response, the log size I have configured are the same

Screenshot 2025-03-10 4.14.32 PM.png

/var/log/pfblockerng: ls -l
total 20376
-rw-------  1 unbound unbound 2012634 Mar 10 16:16 dns_reply.log
-rw-------  1 unbound unbound 2474917 Mar 10 16:16 dnsbl.log
-rw-------  1 root    wheel   5258413 Mar 10 16:00 dnsbl_parsed_error.log
-rw-------  1 root    wheel    426448 Mar 10 16:00 error.log
-rw-------  1 root    wheel    274484 Mar 10 16:00 extras.log
-rw-------  1 root    wheel   3481641 Mar 10 16:11 ip_block.log
-rw-------  1 root    wheel   3649640 Mar 10 16:00 ip_permit.log
-rw-r--r--  1 root    unbound     120 Mar 10 12:00 maxmind_ver
-rw-------  1 root    wheel    624287 Mar 10 16:00 pfblockerng.log
-rw-r--r--  1 unbound unbound     229 Feb 21  2023 py_error.log
-rw-------  1 unbound unbound 2208509 Mar 10 16:16 unified.log

second capture:

-rw-------  1 unbound unbound 2054793 Mar 10 16:23 dns_reply.log
-rw-------  1 unbound unbound 2484058 Mar 10 16:22 dnsbl.log
-rw-------  1 root    wheel   5258413 Mar 10 16:00 dnsbl_parsed_error.log
-rw-------  1 root    wheel    426448 Mar 10 16:00 error.log
-rw-------  1 root    wheel    274484 Mar 10 16:00 extras.log
-rw-------  1 root    wheel   3483020 Mar 10 16:18 ip_block.log
-rw-------  1 root    wheel   3649640 Mar 10 16:00 ip_permit.log
-rw-r--r--  1 root    unbound     120 Mar 10 12:00 maxmind_ver
-rw-------  1 root    wheel    624287 Mar 10 16:00 pfblockerng.log
-rw-r--r--  1 unbound unbound     229 Feb 21  2023 py_error.log
-rw-------  1 unbound unbound 2260172 Mar 10 16:23 unified.log

right now up at 75G

/var/log/pfblockerng: df -h
Filesystem                     Size    Used   Avail Capacity  Mounted on
/dev/ufsid/61bf5ededf06b426    227G     75G    133G    36%    /
devfs                          1.0K      0B    1.0K     0%    /dev
tmpfs                          4.0M    204K    3.8M     5%    /var/run
/lib                           227G     75G    133G    36%    /var/unbound/lib
devfs                          1.0K      0B    1.0K     0%    /var/unbound/dev
/var/log/pfblockerng           227G     75G    133G    36%    /var/unbound/var/log/pfblockerng
/usr/local/share/GeoIP         227G     75G    133G    36%    /var/unbound/usr/local/share/GeoIP
/usr/local/bin                 227G     75G    133G    36%    /var/unbound/usr/local/bin
/usr/local/lib                 227G     75G    133G    36%    /var/unbound/usr/local/lib
devfs                          1.0K      0B    1.0K     0%    /var/dhcpd/dev

posix

Hello, can anyone provide further guidance?

posix

@bmeeks @michmoor @stephenw10

Sorry to blast, but looking for further guidance and next steps.

stephenw10

I assume it resets if you reboot?

How long does it take to refill?

bmeeks

I would not conflate disk space consumption with swap file usage. Having large files on the disk does not necessarily relate to swap being used. Maybe if you were trying to load and view huge files, but the PHP GUI would probably crash first before it forced the OS into using swap.

Something with the number of active processes you have running is consuming the swap. You have a number of Snort processes showing in one of your screen captures. Do you actually have that many physical interfaces configured, or are you running Snort instances on multiple VLANs? If the latter, consider running a single Snort instance on the physical interface.

You also have a couple of other packages that are likely to use RAM aggressively. Taken all together, it appears you have more "stuff" running than you have enough physical RAM to accomodate- thus the need for swap usage.

SteveITS

@posix The 70G/75G is total disk usage not pfBlocker usage. Though that’s at least 10x a typical pfSense installation.

Try “du -h —max-depth=2 /“ At a command line and see what’s using 70GB and apparently increasing since your earlier post. Then keep going into the largest subdirectories.

Edit: and yeah, disk usage is not equal to RAM usage.

posix

@bmeeks @stephenw10 @michmoor

Just an update. I removed SNORT package and swap usage went down to %7

@bmeeks as you pointed I was using SNORT on a few vlan interfaces and subscribed to paid rules. Since SNORT is not going to be moving to newer releases in PFSENSE anytime soon and I have no technical justification to use it in my home network (LOL - I know, "But I wanted to learn"). Other real world problems take priority.

Will open another thread about file useage, thank you all for the pointer hopefully others will benefit from this thread.