Project

General

Profile

Bug #8417

IPv6 bogon list size now too large to fit in standard maximum table size

Added by Jim Pingle about 1 year ago. Updated 12 months ago.

Status:
Resolved
Priority:
Normal
Category:
Rules/NAT
Target version:
Start date:
04/02/2018
Due date:
% Done:

100%

Estimated time:
Affected Version:
All
Affected Architecture:
All

Description

The IPv6 bogon list has grown to the point where it can no longer fit inside the stock value for maximum table size (200000) during a reload.

We need to increase the default value to give it plenty of room, doubling the current default to 400000 should be sufficient.

We may also want a check in the bogons processing code that will prevent loading bogons if the maximum table size is manually set too low.

To Renato for now, he's working on changing the default and adding upgrade code.

pfsense-incorrect-description.png (20.9 KB) pfsense-incorrect-description.png Ryan Jaeb, 04/02/2018 05:11 PM

Associated revisions

Revision 2d113b12 (diff)
Added by Renato Botelho about 1 year ago

Fix #8417

- Changed default value for Maximum Table Entries to 400000 in order to
make bogonsv6 to work
- Added code to upgrade config and set default value on systems where
it's not defined
- Changed default config to match new default and version 18.0
- Added checks to enable 'block bogons' and to enable IPv6 requesting
the minimum value
- Notify admin when Maximum Table Entries value is too small and in
this case skip bogonsv6 table creation

Revision 5ab6ce1d (diff)
Added by Renato Botelho about 1 year ago

Fix #8417

- Changed default value for Maximum Table Entries to 400000 in order to
make bogonsv6 to work
- Added code to upgrade config and set default value on systems where
it's not defined
- Changed default config to match new default and version 18.0
- Added checks to enable 'block bogons' and to enable IPv6 requesting
the minimum value
- Notify admin when Maximum Table Entries value is too small and in
this case skip bogonsv6 table creation

Revision 6ad146e0 (diff)
Added by Jim Pingle about 1 year ago

Reword bogon block size error text. Ticket #8417

Revision 8d06b6c2 (diff)
Added by Jim Pingle 12 months ago

Reword bogon block size error text. Ticket #8417

(cherry picked from commit 6ad146e0445961ccba5323cccadcdfddc98e7d55)

Revision 98dfd103 (diff)
Added by Jim Pingle 12 months ago

Backport table size increase for larger bogons. Ticket #8417

History

#1 Updated by Jim Pingle about 1 year ago

  • Description updated (diff)

#2 Updated by Renato Botelho about 1 year ago

  • Status changed from Assigned to Feedback
  • % Done changed from 0 to 100

#3 Updated by Ryan Jaeb about 1 year ago

I think there's also mistake in the description on the settings page that could mislead people. If you've overridden the default size in the past, the description will claim the current size is the default size. For a while I was thinking the default had already been increased because the firewall I was looking at had the value manually set. You need to re-navigate to the settings page after applying a manual value see the incorrect message. See my attached image.

#4 Updated by Brendon Baumgartner about 1 year ago

Yes. I ran into the same issue as Ryan Jaeb . It took me awhile to figure that out. Very confusing.

#5 Updated by Thomas Rieschl about 1 year ago

With this error I also noticed a really weird subtle error which took me almost an hour to figure out:
Some Firewall/NAT rule weren't applied. It was the rule to allow mail flow between an internal Exchange server and it's external mailrelay, so no mails got in and out of the organization. I don't know, why it just affected port 25 in/out, because other NAT rules (eg. 443 incoming, OpenVPN) were still working.

Disabling the bogon check on the WAN interface did the trick for me.

Maybe it's possible to load custom firewall rules first? and bogons afterwards?

edit: I use aliases for defining the IP of the mailserver. This alias is also stored in a table, right? Maybe that's the cause why just the mail stuff didn't work because the table couldn't be created.

#6 Updated by James Dekker about 1 year ago

Tested on 2.4.4.a.20180406.1258, warning appears stating that the Firewall Maximum Table Entries value in System / Advanced / Firewall must be increased at least to 400000.

#7 Updated by James Dekker about 1 year ago

Tested on pfSense CE version: 2.4.4 Built On: Wed Apr 11 14:31:44 CDT 2018 .. after upgrading from 2.4.2. Nothing wrong off the bat, setting was already 400000. Tried to set it to 200000 and I received the following error

"The following input errors were detected:

The Firewall Maximum Table Entries value must be greater than 400000 when block bogons is enabled."

#8 Updated by Jim Pingle about 1 year ago

  • Status changed from Feedback to Resolved

#9 Updated by Jim Pingle 12 months ago

  • Target version changed from 2.4.4 to 2.4.3_1

Also available in: Atom PDF