[solved]Tables Entries ?

Started by BrandyWine, August 05, 2025, 07:07:52 AM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
August 05, 2025, 07:07:52 AM Last Edit: August 06, 2025, 04:10:29 PM by BrandyWine
v25.7.1_1

What does this tables entries mean from the Aliases section?


Mini-pc N150 i226v x520, FREEDOM
August 05, 2025, 08:18:15 AM #1
It's the system wide maximum amount of individual network segment entries in the alias tables (and its current count).

Depending on alias table size, especially GeoIP tables this can grow well beyond a million entries (and also requires headroom in some instances when updating a large alias as entries are staged before the alias table content is switched).


Cheers,
Franco
August 05, 2025, 12:21:40 PM #2
it mostly consumed by the IPv6 bogons alias....


OPNsense 25.7.7_4-amd64 running on ESXi 6.7 U2 VM, 4Gbytes RAM, 2 x vCPU
frr OSPF + eBGP, IDS, AdGuard Home, mDNS proxy, sftp-backup plugins. limited kea DHCP server deployment.
August 05, 2025, 01:11:32 PM #3
150k of 1000k is mostly merely 15%  ;)


Cheers,
Franco
August 05, 2025, 02:18:42 PM #4
153113 of the utilized/occupied 155998 entries, is actually very high, oh like 98%....suggest you take a closer look at the screenshot....
OPNsense 25.7.7_4-amd64 running on ESXi 6.7 U2 VM, 4Gbytes RAM, 2 x vCPU
frr OSPF + eBGP, IDS, AdGuard Home, mDNS proxy, sftp-backup plugins. limited kea DHCP server deployment.
August 05, 2025, 03:07:13 PM #5
@hharry, what is the concern with the math of these numbers?
Total available for this system is 1000000. Total used as franco says is 15% of the available total. This is what is important for a system i.e. how much is left of the available total.
From there your math of bogons making 98% of the total currently in use ie. 98% of the 15% total used, means perhaps something unusual or bad?

I'm only trying to see what could be anomalous in this.
August 06, 2025, 04:09:22 PM #6
Ok, makes sense. I just didn't know what attributes to that number. 16% is ok, 84% to go. Will just keep an eye on it.
Mini-pc N150 i226v x520, FREEDOM
August 06, 2025, 07:11:42 PM #7
Did I miss it, or did nobody mention "Firewall: Settings: Advanced" -> "Miscellaneous" -> "Firewall Maximum Table Entries"? If you have the RAM, you can crank it up.
August 06, 2025, 09:11:10 PM #8
Yes, you want to do that when loading other aliases, especially GeoIP. The new GeoIP database is going to be 4-5 million entries.


Cheers,
Franco
August 06, 2025, 09:27:13 PM #9
Quote from: pfry on August 06, 2025, 07:11:42 PMDid I miss it, or did nobody mention "Firewall: Settings: Advanced" -> "Miscellaneous" -> "Firewall Maximum Table Entries"? If you have the RAM, you can crank it up.
Thanks for that note. My device has 16GB NVMe ram, Lobby says device is only using 9%.
My fw has just a handful of manual objects and rules.
Mini-pc N150 i226v x520, FREEDOM
August 07, 2025, 02:18:51 AM #10 Last Edit: August 07, 2025, 03:52:28 AM by hharry
Quote from: BrandyWine on August 06, 2025, 09:27:13 PM
Quote from: pfry on August 06, 2025, 07:11:42 PMDid I miss it, or did nobody mention "Firewall: Settings: Advanced" -> "Miscellaneous" -> "Firewall Maximum Table Entries"? If you have the RAM, you can crank it up.
Thanks for that note. My device has 16GB NVMe ram, Lobby says device is only using 9%.
My fw has just a handful of manual objects and rules.

if you navigate to Firewall: Aliases, it will show how many entries in the loaded column, per alias, you'll quickly see for your configuration, IPv6 bogons alias (bogonsv6) consumes the most entries.

And, even if your deployment has IPv6 disabled, OPNsense still loads bogonsv6 into the F/W automatic ruleset...see image below. Which seems completely superfluous, given the default IPv4+6 * inbound deny rule....


bogonsv6 alias, will have a large number of entries, for a very long time, as public IPv6 uptake utilization rate is quite slow....and IPv6 facilitates a massive number of hosts (2^128) + associated prefix

The only way to have OPNsense not load the large bogonsv6 alias, is to disable  Block bogon networks in all interfaces, which disables both bogons (v4) and bogonsv6 in automatic F/W ruleset, there's no current way to disable just bogonsv6, and have bogons (v4) enabled, in automatic F/W rulesets
OPNsense 25.7.7_4-amd64 running on ESXi 6.7 U2 VM, 4Gbytes RAM, 2 x vCPU
frr OSPF + eBGP, IDS, AdGuard Home, mDNS proxy, sftp-backup plugins. limited kea DHCP server deployment.
August 07, 2025, 03:04:00 AM #11 Last Edit: August 07, 2025, 05:04:09 AM by OPNenthu
Is there a formula or rough correlation of table size <-> memory requirement?  Might be useful for system planning, especially as some router appliances have fixed / soldered memory and can't be upgraded.  Maybe a blurb can be added to the relevant section in https://docs.opnsense.org/manual/firewall_settings.html#firewall-maximum-table-entries.

EDIT: I asked an LLM and it said that 1 million table entries in pf is on the order of 32-64 MB, so not a big deal for RAM requirements even if it's hallucinating on the exact amount.  Packet throughput is a potential issue.
August 07, 2025, 08:00:49 AM #12
@hharry Fortunately that is incorrect information. Unchecking "Interfaces: Settings: Allow IPv6" will immediately unload bogonsv6 entries. I've tried it just now because you're very persistent in your opinion. You're welcome.
August 07, 2025, 09:54:22 AM #13
confirmed here too. My bogonsv6 is empty and "Interfaces: Settings: Allow IPv6" unchecked as I am not using ipv6.
August 07, 2025, 10:01:11 AM #14
@Franco so you've just confirmed there no way to have IPv4+6 interfaces, with only bogons (v4), right ?
OPNsense 25.7.7_4-amd64 running on ESXi 6.7 U2 VM, 4Gbytes RAM, 2 x vCPU
frr OSPF + eBGP, IDS, AdGuard Home, mDNS proxy, sftp-backup plugins. limited kea DHCP server deployment.
Print
Go Up Pages1 2
User actions