Bug #8417
closed
IPv6 bogon list size now too large to fit in standard maximum table size
Added by Jim Pingle over 6 years ago.
Updated over 6 years ago.
Affected Architecture:
All
Description
The IPv6 bogon list has grown to the point where it can no longer fit inside the stock value for maximum table size (200000) during a reload.
We need to increase the default value to give it plenty of room, doubling the current default to 400000 should be sufficient.
We may also want a check in the bogons processing code that will prevent loading bogons if the maximum table size is manually set too low.
To Renato for now, he's working on changing the default and adding upgrade code.
Files
- Description updated (diff)
- Status changed from Assigned to Feedback
- % Done changed from 0 to 100
I think there's also mistake in the description on the settings page that could mislead people. If you've overridden the default size in the past, the description will claim the current size is the default size. For a while I was thinking the default had already been increased because the firewall I was looking at had the value manually set. You need to re-navigate to the settings page after applying a manual value see the incorrect message. See my attached image.
Yes. I ran into the same issue as Ryan Jaeb . It took me awhile to figure that out. Very confusing.
With this error I also noticed a really weird subtle error which took me almost an hour to figure out:
Some Firewall/NAT rule weren't applied. It was the rule to allow mail flow between an internal Exchange server and it's external mailrelay, so no mails got in and out of the organization. I don't know, why it just affected port 25 in/out, because other NAT rules (eg. 443 incoming, OpenVPN) were still working.
Disabling the bogon check on the WAN interface did the trick for me.
Maybe it's possible to load custom firewall rules first? and bogons afterwards?
edit: I use aliases for defining the IP of the mailserver. This alias is also stored in a table, right? Maybe that's the cause why just the mail stuff didn't work because the table couldn't be created.
Tested on 2.4.4.a.20180406.1258, warning appears stating that the Firewall Maximum Table Entries value in System / Advanced / Firewall must be increased at least to 400000.
Tested on pfSense CE version: 2.4.4 Built On: Wed Apr 11 14:31:44 CDT 2018 .. after upgrading from 2.4.2. Nothing wrong off the bat, setting was already 400000. Tried to set it to 200000 and I received the following error
"The following input errors were detected:
The Firewall Maximum Table Entries value must be greater than 400000 when block bogons is enabled."
- Status changed from Feedback to Resolved
- Target version changed from 2.4.4 to 2.4.3-p1
Also available in: Atom
PDF