25
Apr
2018

IPv6 bogons – OPNsense errors?

I must admit I am still getting used to a more complex firewall setup, as detailed in earlier posts. I’m constantly finding new things in the settings panel which have absolutely no applicable use to me, but absolutely do to those in the larger enterprise space.

That’s all well and good, and I’ve been tootling along just fine leaving most of the more advanced settings alone. Until…

bogonsmessage

[ There were error(s) loading the rules: /tmp/rules.debug:15: cannot define table bogonsv6: Cannot allocate memory – The line in question reads [15]: table persist file /usr/local/etc/bogonsv6]

This was weird. As far as I’m aware, my ISP doesn’t have IPv6 support yet – but I can’t ignore it since it will come in the future. I was having problems getting ports forwarded – I would apply the settings but I still couldn’t get through, unless I rebooted the router. This didn’t make sense to me – this was all working before. One nice thing about OPNsense is the ability to live view packets being allowed or blocked by the firewall – this way I could still tell the default rule was blocking packets that should be allowed through.

That message appeared at the top of the screen each time I applied the firewall settings. Hmm… What actually does it mean? I did some digging and discovered that the IPv6 bogon list was recently expanded – and this has now tipped over the default maximum number of firewall entries.

Since IPv6 is still relatively new, the bogon list (which specifies things like loopback addresses to block on the incoming side of the WAN – those sorts of things should never be on the incoming side so they’re blocked for security purposes) is still being updated.

The solution to this is to bump up the maximum size from the default.

firewallentries

I’ve set mine to 1 million since I have plenty of memory and CPU and didn’t want to have another bogon update trip the limit again. 200,000 is the default limit for versions around the time of writing this (though I’ve read that 400,000 is a decent setting to use). Maybe a million is too many but I’ll see!

Another option is to disable IPv6 bogon filtering in the Interfaces settings page – though IPv6 support may drop at any time I’m going to leave it enabled and just increase the firewall entry table size instead.

blockbogons

I wouldn’t recommend turning off bogon filtering since they are actually quite important, especially with IPv6 covering a much larger set.

Anyway – now that’s been dealt with I can move onto DNS-over-TLS (since it’s all over the web at the moment). Stay tuned!

OPNsense/pfSense: What it brings to the table
Should I upgrade to Ryzen 2700X?

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.