OPNSense, 21.7, GeoIP, MaxMind, IPv6 aliases error: "Invalid argument. [ALIAS]"

[PerpetualNewbie]

Hello,

We upgraded from OPNSense 21.1.8 to 21.1.9 to 21.7

Before upgrade, MaxMind GeoIP aliases for dual stack IPv4/IPv6 were working.

Now, any GeoIP aliases with just IPv6 selections, or IPv4/IPv6 selections no longer work, and break rule selection, denying port-forward and firewall rules from matching for selection.

When I visit any GeoIP alias with pure IPv6 rules or combination IPv4/IPv6 and edit, then save, or create new and then save, then with either case when complete, choose "apply" I see an error like this for each GeoIP Alias with any support for IPv6:

"Invalid argument. [NAME_OF_ALIAS_with_pure_IPv6_rules_or_IPv4_and_IPv6_rules]"

Where you replace the name "NAME_OF_ALIAS_with_pure_IPv6_rules_or_IPv4_and_IPv6_rules" with the actual name of each alias.

To try to debug...

I've pulled out the URL for downloading updated from MaxMind, and the URL works. I get a zip file with CSV items.

I've manually called the script from the command-line to complete this import process, which appears to complete with a zero exit status (no errors.)

After the script downloads an update, the directory /usr/local/share/GeoIP/alias/ has new files.

For each country selected in the IPv6 rules (examples: CA,US,SG,ZA,IN,AE) I've confirmed there are files in /usr/local/share/GeoIP/alias/ for those regions and IPv4 and IPv6 and none are zero-length.

When I make pure IPv4 GeoIP aliases, and duplicate the dual-stack rules to pure IPv4 rules for firewall or port-forwarding, those work.

Suggestions on where to look next?

[PerpetualNewbie]

Sorry for self reply, but problem found.
Firewall -> Settings -> Advanced -> "Firewall Maximum Table Entries"

Quadrupled the present setting, then re-tried to complete a GeoIP , IPv6 alias rule, and the error changed to something about insufficient memory for the v6 aliases.

After some re-tooling, I reduced the number of GeoIP aliases from 5 to 4, then 4 to 3 by re-using the same alias with different countries for services where it didn't quite apply, and now, after edits of any GeoIP IPv6 aliases, no more errors and rules which use them are no longer skipped.

I'll advise my boss we need to get more memory for our instance.

Again, sorry to reply to myself and wasting your time.

Have a great day!

[N0_Klu3]

Thank you for this!

[TheLatestWire]

Do you happen to know what the default value for "Firewall Maximum Table Entries" is?

[cookiemonster]

HI, in the info tooltip it reads "Note: Leave this blank for the default. On your system the default size is: 1000000"

[HenrysCat]

I cant get mine working after the update, Firewall Maximum Table Entries is 2000000
Memory usage 18% (1524/8070MB)
Disk usage 8% [ufs] (2.1G/27G)

I have deleted the alias and GeoIP rule, re added but still no go.

any other ideas?

Thanks all

[HenrysCat]

Update

I have tried connecting to my server behind OPNSense via Tor browser and I cannot connect, so it seems to be working just logging as green/allowed?

[HenrysCat]

Update 2

Got it working, I disabled all WAN rules, re enabled and now working as it should, almost,

the firewall log now has "IPv6 RFC4890 requirements (ICMP)" on every other line, but that's for another thread.