Bug #8417
closedIPv6 bogon list size now too large to fit in standard maximum table size
100%
Description
The IPv6 bogon list has grown to the point where it can no longer fit inside the stock value for maximum table size (200000) during a reload.
We need to increase the default value to give it plenty of room, doubling the current default to 400000 should be sufficient.
We may also want a check in the bogons processing code that will prevent loading bogons if the maximum table size is manually set too low.
To Renato for now, he's working on changing the default and adding upgrade code.
Files
Updated by Renato Botelho over 6 years ago
- Status changed from Assigned to Feedback
- % Done changed from 0 to 100
Applied in changeset 2d113b128f270302cc5380669f257e8bd1cb3a15.
Updated by Ryan Jaeb over 6 years ago
I think there's also mistake in the description on the settings page that could mislead people. If you've overridden the default size in the past, the description will claim the current size is the default size. For a while I was thinking the default had already been increased because the firewall I was looking at had the value manually set. You need to re-navigate to the settings page after applying a manual value see the incorrect message. See my attached image.
Updated by Brendon Baumgartner over 6 years ago
Yes. I ran into the same issue as Ryan Jaeb . It took me awhile to figure that out. Very confusing.
Updated by Thomas Rieschl over 6 years ago
With this error I also noticed a really weird subtle error which took me almost an hour to figure out:
Some Firewall/NAT rule weren't applied. It was the rule to allow mail flow between an internal Exchange server and it's external mailrelay, so no mails got in and out of the organization. I don't know, why it just affected port 25 in/out, because other NAT rules (eg. 443 incoming, OpenVPN) were still working.
Disabling the bogon check on the WAN interface did the trick for me.
Maybe it's possible to load custom firewall rules first? and bogons afterwards?
edit: I use aliases for defining the IP of the mailserver. This alias is also stored in a table, right? Maybe that's the cause why just the mail stuff didn't work because the table couldn't be created.
Updated by Anonymous over 6 years ago
Tested on 2.4.4.a.20180406.1258, warning appears stating that the Firewall Maximum Table Entries value in System / Advanced / Firewall must be increased at least to 400000.
Updated by Anonymous over 6 years ago
Tested on pfSense CE version: 2.4.4 Built On: Wed Apr 11 14:31:44 CDT 2018 .. after upgrading from 2.4.2. Nothing wrong off the bat, setting was already 400000. Tried to set it to 200000 and I received the following error
"The following input errors were detected:
The Firewall Maximum Table Entries value must be greater than 400000 when block bogons is enabled."
Updated by Jim Pingle over 6 years ago
- Target version changed from 2.4.4 to 2.4.3-p1