Show Posts
1
21.1 Legacy Series / Huge bogonsv6 list = really long boot time
« on: April 21, 2021, 11:38:56 pm »
I don't reboot my router very often luckily, usually just when doing upgrades. However, I recently started noticing a really long startup time which is spent waiting on "Configuring Firewall..." with the CPU just pegged out. We're talking times of 10+ minutes waiting like that.
I decided to dig through all of my firewall rules to figure out what was taking so long. In doing so I looked at the number of addresses defined for the bogonsv6 alias, and as soon as I saw that I knew what the holdup was. There are 10s of thousands that are added to the firewall rules for blocking bogons via that alias (makes sense given the address space of IPv6).
I have turned off blocking bogons for now and that makes an instant difference. I wonder though if there are any optimizations that can be made to how firewall rulesets are loaded that could reduce the amount of time it takes to get through this at bootup time. Considering that making changes to firewall rulesets and applying changes even with the block bogons enabled is very quick, it kinda surprises me that it takes so long to load the ruleset at bootup (though maybe applying changes doesn't force a full ruleset reload).
Other thought - I've had the Block Bogons feature enabled since the dawn of time, and have had dual-stack IPv6 running for the past few years - so why is this suddenly an issue more recently?
Currently on OPNsense 21.1.5-amd64
I decided to dig through all of my firewall rules to figure out what was taking so long. In doing so I looked at the number of addresses defined for the bogonsv6 alias, and as soon as I saw that I knew what the holdup was. There are 10s of thousands that are added to the firewall rules for blocking bogons via that alias (makes sense given the address space of IPv6).
I have turned off blocking bogons for now and that makes an instant difference. I wonder though if there are any optimizations that can be made to how firewall rulesets are loaded that could reduce the amount of time it takes to get through this at bootup time. Considering that making changes to firewall rulesets and applying changes even with the block bogons enabled is very quick, it kinda surprises me that it takes so long to load the ruleset at bootup (though maybe applying changes doesn't force a full ruleset reload).
Other thought - I've had the Block Bogons feature enabled since the dawn of time, and have had dual-stack IPv6 running for the past few years - so why is this suddenly an issue more recently?
Currently on OPNsense 21.1.5-amd64