GUI alias and rule changes are not applied to the running PF ruleset ( pfctl -sr / pfctl -t unchanged), causing new firewall rules to not work, likely due to pfBlockerNG overriding tables.
-
The issue is reproducible on pfSense Plus 26.03 and appears isolated to scenarios where pfBlockerNG is enabled.
Observed behavior:- With pfBlockerNG disabled:
-
Firewall rules added or removed in the GUI are immediately reflected in the active ruleset and visible via pfctl -sr. -
Alias changes made in the GUI correctly update the associated PF tables (pfctl -t <alias> -T show).
- With pfBlockerNG enabled:
-
Firewall rule additions or deletions made in the GUI do not appear in pfctl -sr, and newly added rules do not function. -
Alias edits made in the GUI do not update the corresponding PF tables (pfctl -t <alias> -T show remains unchanged).
Notably:
- pfBlockerNG is on the latest version (3.2.16)
- The IP > GeoIP section is set to Alias Native.
- Alias changes remain pending and only take effect when pfBlockerNG is toggled (disabled and re‑enabled) or the firewall is rebooted.
- Disabling pfBlockerNG restores normal behavior, and re‑enabling it forces both aliases and rules to synchronize.
Impact:
This behavior prevents new or modified firewall rules from being applied in real time and leaves the system in an inconsistent state unless pfBlockerNG is manually toggled or the firewall is rebooted, which is disruptive.This suggests that when pfBlockerNG is enabled, it interferes with or overrides the normal filter reload process, and that alias and rule updates only fully apply when pfBlockerNG performs its own reload cycle.
-
Alias changes remain pending
Can you show this with a sequence of screenshots?
-
Hello,
We identified the root cause. The firewall is failing to reload the ruleset due to a PF memory allocation error triggered by pfBlockerNG.
Under Status → Filter Reload, we consistently see:pfctl: Syntax error in config file: pf rules not loaded /tmp/rules.debug:97: cannot define table pfB_Europe_v6: Cannot allocate memoryWhen this occurs, PF refuses to load the new ruleset, which explains why:
- GUI rule changes do not appear in pfctl -sr
- Alias updates do not apply
- New rules do not function
Disabling the failing pfBlockerNG IPv6 table (pfB_Europe_v6) allows the ruleset to load correctly and immediately restores expected behavior. Rebooting or toggling pfBlockerNG also temporarily resolves the issue by freeing memory.
This confirms the issue is caused by PF table memory exhaustion during rule reload when pfBlockerNG IPv6 GeoIP tables are enabled.
Thanks
-
Is it merely an allocation issue, or is it in fact exhaustion due to it being a low memory system?
-
@jacob.simon said in GUI alias and rule changes are not applied to the running PF ruleset ( pfctl -sr / pfctl -t unchanged), causing new firewall rules to not work, likely due to pfBlockerNG overriding tables.:
cannot define table pfB_Europe_v6: Cannot allocate memory
To be honest the pfblocker and allocate memory has been a thing for a long time.. You should update how many entries can be used for tables if you are going to use huge tables like all the IPv6 networks in the EU ;)
I don't have any such problems - but then again not using a table for all the IPv6 networks in the EU ;)
-
For additional reference—on a 32 GB system with an obnoxious DNSBL database (not that this is relevant beyond overall RAM utilization) and all teh geo IP, it never gets anywhere near the configured 15,000,000 maximum table entries size.
-
@tinfoilmatt The system is a Netgate 8200, upon receiving this error it's only used 10% of its' 16 GB RAM. Also at this juncture it doesn't have other things configured, in fact the setup was completely vanilla (exited the setup wizard) and just added the GeoIP
-
Easy enough 'fix'. Simply adjust the setting highlighted by @johnpoz accordingly.
-
Note that the option should be set to at least twice the expected number of entries across all aliases. See:
https://docs.netgate.com/pfsense/en/latest/config/advanced-firewall-nat.html#firewall-maximum-table-entries -
@jacob.simon Just to add on, the issue isn't memory usage overall, it's "I ran out of slots to store things." (table entries)
Also since you mentioned geo IP, if you "block the world" that creates much larger aliases than "allow my country."
Long ago I'd read, if using pfBlocker, start table entries at 2 million and increase as necessary. YMMV
