Bug #8417: IPv6 bogon list size now too large to fit in standard maximum table size - pfSense - pfSense bugtracker

Custom queries

2.4.5-p1 - Resolved/Closed
2.5.0 - Resolved/Closed
2.5.1 - Resolved/Closed
2.5.2 - Resolved/Closed
2.6.0 - Resolved/Closed
2.7.0 - Resolved/Closed
2.7.1 - All Open Issues
2.7.1 - Resolved/Closed
2.7.2 - Resolved/Closed
2.8.0 - All Open Bugs
2.8.0 - All Open Features
2.8.0 - All Open Issues
2.8.0 - All Open Regressions
2.8.0 - Feedback
2.8.0 - Needs Attention
2.8.0 - New/Confirmed
2.8.0 - Pull Requests
2.8.0 - Regressions affecting 2.7.0
2.8.0 - Resolved/Closed
21.02.2/2.5.1 - Resolved/Closed
21.05 Plus - All Closed Issues
21.05.1 Plus Target - All Closed Issues
21.05.1 Target - All Closed Issues
22.01 Plus - All Closed Issues
22.01 Target - All Closed Issues
22.05 Plus - All Closed Issues
22.05 Target - All Closed Issues
23.01 Plus - All Closed Issues
23.01 Target - All Closed Issues
23.05 Plus - All Closed Issues
23.05 Target - All Closed Issues
23.05.1 Plus - All Closed Issues
23.05.1 Target - All Closed Issues
23.09 Plus - All Closed Issues
23.09 Target - All Closed Issues
23.09.1 Plus - All Closed Issues
23.09.1 Plus - All Open Issues
23.09.1 Target - All Closed Issues
23.09.1 Target - All Open Issues
24.03 Plus - All Closed Issues
24.03 Plus - All Open Issues
24.03 Plus - Feedback Issues
24.03 Plus - Needs Attention/Work
24.03 Plus - New/Confirmed/In Progress Issues
24.03 Plus - Pull Request Review
24.03 Plus - Waiting on Merge
24.03 Target - All Closed Issues
24.03 Target - All Open Issues
All Open Issues assigned to Me
All Open Pull Requests
Any Target - All Open Regressions
Any Target - Feedback Issues
CE-Next - All Closed Issues (Move to specific target)
CE-Next - All Open Issues
CE-Next - Feedback (Likely needs target changed)
New Issues by Category - Future Target
New Issues by Category - No Target
New Issues by Category - No Target+Future
No Target - All Open Issues (Base Only)
No Target - New Issues (Base Only)
No Target - New Issues (Base and Packages)
Release Notes - Plus Target Version (DO NOT EDIT)
Release Notes - Target Version (DO NOT EDIT)

Actions

Copy link

Bug #8417

closed

IPv6 bogon list size now too large to fit in standard maximum table size

Added by Jim Pingle about 6 years ago. Updated almost 6 years ago.

Status:

Resolved

Priority:

Normal

Assignee:

Renato Botelho

Category:

Rules / NAT

Target version:

2.4.3-p1

Start date:

04/02/2018

Due date:

% Done:

100%

Estimated time:

Plus Target Version:

Release Notes:

Affected Version:

All

Affected Architecture:

All

Description

The IPv6 bogon list has grown to the point where it can no longer fit inside the stock value for maximum table size (200000) during a reload.

We need to increase the default value to give it plenty of room, doubling the current default to 400000 should be sufficient.

We may also want a check in the bogons processing code that will prevent loading bogons if the maximum table size is manually set too low.

To Renato for now, he's working on changing the default and adding upgrade code.

Files

pfsense-incorrect-description.png (20.9 KB) pfsense-incorrect-description.png

Ryan Jaeb, 04/02/2018 05:11 PM

History
Notes
Property changes
Associated revisions

Actions

Copy link

Updated by Jim Pingle about 6 years ago

Description updated (diff)

Actions

Copy link

Updated by Renato Botelho about 6 years ago

Status changed from Assigned to Feedback
% Done changed from 0 to 100

Applied in changeset 2d113b128f270302cc5380669f257e8bd1cb3a15.

Actions

Copy link

Updated by Ryan Jaeb about 6 years ago

File pfsense-incorrect-description.png pfsense-incorrect-description.png added

I think there's also mistake in the description on the settings page that could mislead people. If you've overridden the default size in the past, the description will claim the current size is the default size. For a while I was thinking the default had already been increased because the firewall I was looking at had the value manually set. You need to re-navigate to the settings page after applying a manual value see the incorrect message. See my attached image.

Actions

Copy link

Updated by Brendon Baumgartner about 6 years ago

Yes. I ran into the same issue as Ryan Jaeb . It took me awhile to figure that out. Very confusing.

Actions

Copy link

Updated by Thomas Rieschl about 6 years ago

With this error I also noticed a really weird subtle error which took me almost an hour to figure out:
Some Firewall/NAT rule weren't applied. It was the rule to allow mail flow between an internal Exchange server and it's external mailrelay, so no mails got in and out of the organization. I don't know, why it just affected port 25 in/out, because other NAT rules (eg. 443 incoming, OpenVPN) were still working.

Disabling the bogon check on the WAN interface did the trick for me.

Maybe it's possible to load custom firewall rules first? and bogons afterwards?

edit: I use aliases for defining the IP of the mailserver. This alias is also stored in a table, right? Maybe that's the cause why just the mail stuff didn't work because the table couldn't be created.

Actions

Copy link

Updated by Anonymous about 6 years ago

Tested on 2.4.4.a.20180406.1258, warning appears stating that the Firewall Maximum Table Entries value in System / Advanced / Firewall must be increased at least to 400000.

Actions

Copy link

Updated by Anonymous about 6 years ago

Tested on pfSense CE version: 2.4.4 Built On: Wed Apr 11 14:31:44 CDT 2018 .. after upgrading from 2.4.2. Nothing wrong off the bat, setting was already 400000. Tried to set it to 200000 and I received the following error

"The following input errors were detected:

The Firewall Maximum Table Entries value must be greater than 400000 when block bogons is enabled."

Actions

Copy link