PHP Fatal error: Allowed memory size of 536870912 bytes exhausted

NetRunner8050

Hey guys,

pfSense Firmware:
2.8.0-RELEASE (amd64)

pfSense Hardware:
Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz
16 GB DDR3 RAM

I'm encountering a strange issue:
Whenever I log in, I see the following error on my dashboard:

[24-Jul-2025 21:54:16 Europe/Berlin] PHP Fatal error: Allowed memory size of 536870912 bytes exhausted (tried to allocate 20480 bytes) in /usr/local/bin/kea2unbound on line 528

I opened the file and tried increasing the memory limit to 2048M, but the change gets reset after every firewall reboot.

I also tried editing the file shown below:

However, I'm a bit lost at this point. I can only find very old threads, and it seems the code has changed. Previously, it looked like this:

// Set memory limit to 512M on amd64.
if ($ARCH == "amd64") {
ini_set("memory_limit", "512M");
} else {
ini_set("memory_limit", "128M");
}
That would have been easy to modify – but unfortunately, it's no longer like that.

Also, when searching the error on the forum or Google, I only find bug reports that are already marked as resolved or outdated threads from 5–10 years ago.

This issue seems to have started after upgrading to 2.8.0, but I can't say for sure if it's related.

I don't have a huge configuration or setup – just a few aliases and maybe 5–7 lists in DNSBL.

Could anyone help me figure this out?

Thanks in advance!

SteveITS

@NetRunner8050 It's exposed in the GUI now.

https://forum.netgate.com/topic/198176/php-memory-error/3

stephenw10

Make sure you are using Python mode in DNSBL.

Gertjan

@NetRunner8050 said in PHP Fatal error: Allowed memory size of 536870912 bytes exhausted:

I can only find very old threads ...

Euuuh ... not everybody runs pfSense on 'huge rigs' ? ^^

Use this one :

and enter the word 'exhausted' - and limit the search for answers for the last 4 weeks :

and scroll down : you find a second post, with the same question, same type of device.
And the solution.

stephenw10

But specifically if you're running DNS-BL with a number of lists and kea2unbound make sure you're using Python mode to avoid this.

Gertjan

@stephenw10
Very true.
kea2unbound requests unbound a copy of it's local 'DNS' cache so it can check what has to be removed before it adds new DNS (& PTR) info, if needed.
When Python mode isn't used, this local unbound cache can get very big.

edit :
To see it :

/usr/local/sbin/unbound-control -c /var/unbound/unbound.conf list_local_data | wc -l

If pfBlockerng is used without Python mode (also !), this cache can be very big.
Reading, writing and parsing huge data streams with PHP creates classic "don't do that" situation.

Btw, @cmcdonald (kea2unbound author, right ?) : what about a warning message in the log system when kea2unbound detects that the option Python Module under "Services > DNS Resolver > General Settings" is disabled ?
The unbound config is already loaded, so checking would be easy :

Disabling this option by itself is probably not an issue, but if pfBlockerng is installed and it uses DNSBL feeds, then things will go downwards very fast. See here :

Memory exhaustion in kea2unbound when pfBlockerNG DNSBL is enabled in "Unbound mode" instead of "Unbound python mode"

Or, as proposed in the bug comments : remove the "Unbound or Python" option completely in pfBlockerng, making Python mode default.
And what the heck, why not remove the

option also ?! Activate it by default. Not sure why it needs an option to disable it.