v25.7.1_1
What does this tables entries mean from the Aliases section?
(https://i.postimg.cc/cJTQ0kTq/Screenshot-2025-08-04-220409.png)
It's the system wide maximum amount of individual network segment entries in the alias tables (and its current count).
Depending on alias table size, especially GeoIP tables this can grow well beyond a million entries (and also requires headroom in some instances when updating a large alias as entries are staged before the alias table content is switched).
Cheers,
Franco
it mostly consumed by the IPv6 bogons alias....
150k of 1000k is mostly merely 15% ;)
Cheers,
Franco
153113 of the utilized/occupied 155998 entries, is actually very high, oh like 98%....suggest you take a closer look at the screenshot....
@hharry, what is the concern with the math of these numbers?
Total available for this system is 1000000. Total used as franco says is 15% of the available total. This is what is important for a system i.e. how much is left of the available total.
From there your math of bogons making 98% of the total currently in use ie. 98% of the 15% total used, means perhaps something unusual or bad?
I'm only trying to see what could be anomalous in this.
Ok, makes sense. I just didn't know what attributes to that number. 16% is ok, 84% to go. Will just keep an eye on it.
Did I miss it, or did nobody mention "Firewall: Settings: Advanced" -> "Miscellaneous" -> "Firewall Maximum Table Entries"? If you have the RAM, you can crank it up.
Yes, you want to do that when loading other aliases, especially GeoIP. The new GeoIP database is going to be 4-5 million entries.
Cheers,
Franco
Quote from: pfry on August 06, 2025, 07:11:42 PMDid I miss it, or did nobody mention "Firewall: Settings: Advanced" -> "Miscellaneous" -> "Firewall Maximum Table Entries"? If you have the RAM, you can crank it up.
Thanks for that note. My device has 16GB NVMe ram, Lobby says device is only using 9%.
My fw has just a handful of manual objects and rules.
Quote from: BrandyWine on August 06, 2025, 09:27:13 PMQuote from: pfry on August 06, 2025, 07:11:42 PMDid I miss it, or did nobody mention "Firewall: Settings: Advanced" -> "Miscellaneous" -> "Firewall Maximum Table Entries"? If you have the RAM, you can crank it up.
Thanks for that note. My device has 16GB NVMe ram, Lobby says device is only using 9%.
My fw has just a handful of manual objects and rules.
if you navigate to Firewall: Aliases, it will show how many entries in the loaded column, per alias, you'll quickly see for your configuration, IPv6 bogons alias (bogonsv6) consumes the most entries.
And, even if your deployment has IPv6 disabled, OPNsense still loads bogonsv6 into the F/W automatic ruleset...see image below. Which seems completely superfluous, given the default IPv4+6 * inbound deny rule....
bogonsv6 alias, will have a large number of entries, for a very long time, as public IPv6 uptake utilization rate is quite slow....and IPv6 facilitates a massive number of hosts (2^128) + associated prefix
The only way to have OPNsense not load the large bogonsv6 alias, is to disable Block bogon networks in all interfaces, which disables both bogons (v4) and bogonsv6 in automatic F/W ruleset, there's no current way to disable just bogonsv6, and have bogons (v4) enabled, in automatic F/W rulesets
Is there a formula or rough correlation of table size <-> memory requirement? Might be useful for system planning, especially as some router appliances have fixed / soldered memory and can't be upgraded. Maybe a blurb can be added to the relevant section in https://docs.opnsense.org/manual/firewall_settings.html#firewall-maximum-table-entries.
EDIT: I asked an LLM and it said that 1 million table entries in pf is on the order of 32-64 MB, so not a big deal for RAM requirements even if it's hallucinating on the exact amount. Packet throughput is a potential issue.
@hharry Fortunately that is incorrect information. Unchecking "Interfaces: Settings: Allow IPv6" will immediately unload bogonsv6 entries. I've tried it just now because you're very persistent in your opinion. You're welcome.
confirmed here too. My bogonsv6 is empty and "Interfaces: Settings: Allow IPv6" unchecked as I am not using ipv6.
@Franco so you've just confirmed there no way to have IPv4+6 interfaces, with only bogons (v4), right ?
I don't even know what you're asking for in somebody else's thread.
I just unchecked "allow ipv6" , and now in Aliases sections "bogons" still shows 2850, "bogonsv6" is blank.
So in summary, with "allow ipv6" enabled, my ifaces were v4+v6 and both bogons lists were there. I disable "ipv6" and my ifaces are now just ipv4 and only the "bogons" list is there.
Quote from: hharry on August 07, 2025, 10:01:11 AM@Franco so you've just confirmed there no way to have IPv4+6 interfaces, with only bogons (v4), right ?
Why would you want the bogonsv6 list active if the iface is only ipv4? If ipv6 is disabled how would any ipv6 get fwd'd to the iface at layer-2?
Edit: even with ipvs disbale from OPNsense, it does appear ipv6 in the OS stacl is still there. See my later post.
Quote from: OPNenthu on August 07, 2025, 03:04:00 AMEDIT: I asked an LLM and it said that 1 million table entries in pf is on the order of 32-64 MB, so not a big deal for RAM requirements even if it's hallucinating on the exact amount. Packet throughput is a potential issue.
I just now turned off ipv6, bogonsv6 table emptied out, yet mem usage in Lobby appears exactly the same. I had 16% aliases table entries, now it's at 2881/1mil, or 0%.
On my system, 16GB ram, just from gui numbers (no real looking), 16% of the 1mil was not even reflected in mem use. We know some mem is used, but it must be small.
If it's 64-128MB for 1mil entries, that's nothing really. If you change max and start to really load up on entries, then maybe mem becomes something to look at. I was thinking maybe get 32GB ram, but my research said I onlly need 16. These days getting 32GB is not much more over the 16. So far my 16ram 512disk seems to be plenty.
Just for some clarity on freeBSD OS, there's only one (1) tcp/ip statck loaded, "freebsd". This is an ipv6 stack that does ipv4 mapping by default. One stack that does both.
The "allow ipv6" setting in OPNsense is a OPNsense thing (control at layer3), not an OS stack control.
You can use sysctl to have stack be ipv4+ipv6 (the default), ipv4 only, or ipv6 only. This is at OS level.
I don't see any gains at OS level, like your not saving memory because the "freebsd" stack is the only stack that is loaded, and you need at least one, etc. Duly granted, a ipv6 stack that handle ipv4 has do mapping, which means more processing, but likely not relevant at this level of device.
https://www.siberoloji.com/how-to-enable-or-disable-ipv6-on-freebsd-operating-system/
If the OPNsense gui options were "4+6", "4only", "6only", it could essentially write the needed sysctl (or other cfg) items for boot time, then you would need to reboot to get those changes. You could essentially have a mix of support, like per iface settings, controlled at the tcp/ip stack level config.
I bolded only because that would be a good feature to have.