Bug #8417


IPv6 bogon list size now too large to fit in standard maximum table size

Added by Jim Pingle about 6 years ago. Updated about 6 years ago.

Rules / NAT
Target version:
Start date:
Due date:
% Done:


Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
Affected Architecture:


The IPv6 bogon list has grown to the point where it can no longer fit inside the stock value for maximum table size (200000) during a reload.

We need to increase the default value to give it plenty of room, doubling the current default to 400000 should be sufficient.

We may also want a check in the bogons processing code that will prevent loading bogons if the maximum table size is manually set too low.

To Renato for now, he's working on changing the default and adding upgrade code.


pfsense-incorrect-description.png (20.9 KB) pfsense-incorrect-description.png Ryan Jaeb, 04/02/2018 05:11 PM
Actions #1

Updated by Jim Pingle about 6 years ago

  • Description updated (diff)
Actions #2

Updated by Renato Botelho about 6 years ago

  • Status changed from Assigned to Feedback
  • % Done changed from 0 to 100
Actions #3

Updated by Ryan Jaeb about 6 years ago

I think there's also mistake in the description on the settings page that could mislead people. If you've overridden the default size in the past, the description will claim the current size is the default size. For a while I was thinking the default had already been increased because the firewall I was looking at had the value manually set. You need to re-navigate to the settings page after applying a manual value see the incorrect message. See my attached image.

Actions #4

Updated by Brendon Baumgartner about 6 years ago

Yes. I ran into the same issue as Ryan Jaeb . It took me awhile to figure that out. Very confusing.

Actions #5

Updated by Thomas Rieschl about 6 years ago

With this error I also noticed a really weird subtle error which took me almost an hour to figure out:
Some Firewall/NAT rule weren't applied. It was the rule to allow mail flow between an internal Exchange server and it's external mailrelay, so no mails got in and out of the organization. I don't know, why it just affected port 25 in/out, because other NAT rules (eg. 443 incoming, OpenVPN) were still working.

Disabling the bogon check on the WAN interface did the trick for me.

Maybe it's possible to load custom firewall rules first? and bogons afterwards?

edit: I use aliases for defining the IP of the mailserver. This alias is also stored in a table, right? Maybe that's the cause why just the mail stuff didn't work because the table couldn't be created.

Actions #6

Updated by Anonymous about 6 years ago

Tested on 2.4.4.a.20180406.1258, warning appears stating that the Firewall Maximum Table Entries value in System / Advanced / Firewall must be increased at least to 400000.

Actions #7

Updated by Anonymous about 6 years ago

Tested on pfSense CE version: 2.4.4 Built On: Wed Apr 11 14:31:44 CDT 2018 .. after upgrading from 2.4.2. Nothing wrong off the bat, setting was already 400000. Tried to set it to 200000 and I received the following error

"The following input errors were detected:

The Firewall Maximum Table Entries value must be greater than 400000 when block bogons is enabled."

Actions #8

Updated by Jim Pingle about 6 years ago

  • Status changed from Feedback to Resolved
Actions #9

Updated by Jim Pingle about 6 years ago

  • Target version changed from 2.4.4 to 2.4.3-p1

Also available in: Atom PDF