Bug #3791
closed
Alias->URL Table (IPs)
0%
Description
Upon boot pfSense 2.2 takes 7 -10 minutes to load pfSense at the [Loading Firewall] line with 8 <Aliases>_<URLs> Type <URL table (IPs)> consisting of approx 129,000 URLs total over all 8 aliases in the following format. Files are clean. Using BBcan177's script from the https://forum.pfsense.org/index.php?topic=78062.0
217.195.25.241
218.75.155.41
218.146.254.33
220.181.150.161
222.186.19.226
There is very little processor, disk or network activity during this time. Can not find anything in the logs that show what it's doing.
<The Following is Quoted from BBcan177> and verified by me. See link: https://forum.pfsense.org/index.php?topic=80018.0
<Begin Quote>
I also notice that alias's (URL Table - IPs) that were defined before shutdown are showing empty tables after reboot. 2.14 does not exhibit this behavior. All of the alias (URL Table - IPs) definitions are there, but they are empty.
Previously when an alias was created, clicking "Save" would load the Alias, and you could see the Tables if you hovered over the rules that are defined with an "alias", or in Diagnostics:Table. With 2.2, "Save" does not reload the previously defined aliases.
The only way to get the Aliases to show the IPs, is with a "pfctl" command:
/sbin/pfctl -t <Table Name> -T replace -f /PATH/TO/<Table Name>
However, if you edit the Alias another time, and click "Save", it will clear the table again. Executing the pfctl command above will allow reloading the alias table.
<End Quote>
Updated by Bill Crowder over 10 years ago
After looking around further creating an Alias of URLS in a URL_table(IPs) then creating Floating rules based on these aliases the rules do not populate the pf tables after saving them, you can see this by the command "pfctl -s labels".
After executing the command "pfctl -t <Table Name> -T replace -f /PATH/TO/<Table Name>" manually the tables then load and function as expected per "pfctl -s labels".
Also with these rules in place it takes 13 minutes for pfSense to boot at the first instance of "loading firewall" with 99.8 to 100% idle per Top during this idle time.
From what I see the alias tables do not get populated and the floating rules based on these aliases do not function without manual intervention using the pfctl command. I am resorting to set up a cron job to reload the tables manually.
Updated by Bill Crowder over 10 years ago
[[https://forums.freebsd.org/viewtopic.php?t=45879]]
Seems this is corrected but after looking at this, and seeing this error, pfctrl: bad address in the logs. It seems that there is a problem with pf tables above a certain number of addresses. It seems others have had this problem with pf on FreeBSD, see post above. It seems the standard block lists are to large for pf. Really don't want to overstep my pay grade. :)
Is there something different between the versions?
[2.2-ALPHA][root@router.crowderfarm.local]/root(6): pfctl -sm
states hard limit 406000
src-nodes hard limit 406000
frags hard limit 5000
table-entries hard limit 20000000
[2.1.4-RELEASE][root@router.crowderfarm.local]/root(3): pfctl -sm
states hard limit 305000
src-nodes hard limit 305000
frags hard limit 5000
tables hard limit 3000
table-entries hard limit 20000000
Updated by