Monday, November 23, 2020

pfBlockerNG: Internet Goes Out After Reboot

While using pfBlockerNG (including the "devel" version) on the SG-3100 and SG-1100 we ran into a problem where all internet traffic would stop after a power loss or a reboot. The only way to get traffic to flow again would be to get into the firewall and disable pfBlocker. The fix ended up being very simple, though, surprisingly we could not find it listed or mentioned anywhere on the Internet. There are just a few settings that I found needed to be changed:

1. Increase Firewall Maximum Table Entries on the System / Advanced / Firewall & NAT page from 400,000 to 600,000 (could be higher but 600,000 has worked very well for me).

2. Enable De-Duplication, CIDR Aggregation and Suppression pfBlockerNG options on the Firewall / pfBlockerNG / IP page.

After changing those settings I haven't been able to recreate the problem at all, even after adding multiple memory intensive packages to the firewall.