Bug #11551


SG-3100 with pfBlockerNG doesn't pass traffic

Added by Viktor Gurov 11 months ago. Updated 7 months ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:


SG-3100 appliance doesn't pass traffic on boot and I see error messages in `dmesg`:

pid 833 (php-cgi), jid 0, uid 0: exited on signal 11 (core dumped)

sometimes it won't load WebGUI and I need to restart php-fpm + webconfigurator from the console/ssh

but if I disable pfBlockerNG and reboot, it works fine,

If I enable pfBlockerNG (DNSBL python or unbound mode) it stops passing traffic again and I see:

pid 357 (php-fpm), jid 0, uid 0: exited on signal 11 (core dumped)

same issue if I disable all pfBlockerNG IP feeds

pfSense+ 21.02/21.02-p1
unbound 1.13.1
pfBlockerNG-devel 3.0.0_10

see also #11444

php core dumps:


pfblockerng.xml (30.1 KB) pfblockerng.xml Viktor Gurov, 02/26/2021 08:14 AM
Actions #1

Updated by Jim Pingle 11 months ago

The PHP segfault may be similar to, or the same as, #11466

Actions #2

Updated by Bill Meeks 11 months ago

Jim Pingle wrote:

The PHP segfault may be similar to, or the same as, #11466

I definitely agree. Something weird is up with PHP on 32-bit ARM hardware (or maybe all 32-bit hardware, but there are no longer x86 images to test with).

I worked all day yesterday on the Snort issue on an SG-3100. I put notes in the Issue #11466 ticket. I "fixed" the Snort problem, but I don't think I actually fixed the real problem. So I'm not willing to claim that issue can be closed yet.

Actions #3

Updated by Darin May 8 months ago

The patch contained at has stopped the PHP crashes. So this bug could be marked as dependent upon it for a perm fix.

Actions #4

Updated by Jim Pingle 8 months ago

The patch should fix the behavior, but the package could also implement the fix on its own using ini_set("pcre.jit", "0"); in PHP on 32-bit ARM multi-core systems before performing PCRE operations. Doing it in the package would allow systems without the patch installed to benefit from the change.

Actions #5

Updated by Jim Pingle 8 months ago

See also: #12004

Actions #6

Updated by Jim Pingle 7 months ago

  • Status changed from New to Closed

Closing this as it appears to be the same root cause as #11466 which has a workaround applied as #12004 -- Users can wait for that to be integrated into a release or apply it manually using the instructions on that issue.

If you apply that workaround properly and still have problems, report them on the forum at and include any error messages displayed in the GUI or log, crash reports, and other relevant data.


Also available in: Atom PDF