Messages

Thanks for this.  I can see your setup of your conf file and I see that I can either create a script with the command "/sbin/pfctl -F state" or put the command directly into the conf file.

So the command "/sbin/pfctl -F state" checks the state of the gateway and, if it fails, reboots?

Good morning.

I am trying to create a custom script to be used in CRON to periodically check the gateway and reboot the router if there's no connection.

The script I used can be found here:  https://forum.netgate.com/topic/64563/pfsense-auto-reboot-script-when-google-is-unreachable/3

I put the script into the file /usr/local/opnsense/scripts/gatewaycheck.sh.  I also created a conf file actions_gatewaycheck.conf:

Code Select Expand


[check]
command:/usr/local/opnsense/scripts/gatewaycheck.sh
parameters
type:script
message:Check the Gateway
description:Periodically check the gateway and reboot if needed


I ran the command "service configd restart" to restart configd.  However, when I run the command "configctl gatewaycheck check", I get the following response:

configd socket missing (@/var/run/configd.socket)

Since I'm new at creating a new script, any assistance would be greatly appreciated.

Agreed. 

Thank you Franco and the entire OpnSense team!

This is what I'm referring to...trying to download something in the Steam store makes Suricata use a lot of CPU on the WAN side:


   86290   root   90   0   1936M   220M   CPU0   0   2:23   59.67%   /usr/local/bin/suricata -D --netmap --pidfile /var/run/suricata.pid -c /usr/local/etc/suricata/suricata.yaml{W#01-msk0_vlan2}

Downloading Steam directly from their website didn't have Suricata use so much CPU.

Good morning.  Let me edit this post with some additional detail and some questions.

I have Suricata set up to monitor the WAN and my VLANs only.  However, trying to download a large file (e.g. Apex Legends) causes the memory usage of Suricata to jump up to 75%.  However, it appears to be where a file is downloaded within the game launcher itself where Suricata jumps to 75%; not downloading from the EA site directly.

I noticed in the Activity monitor (System > Diagnostics > Activity) that Suricata was referencing the WAN in the command line; which makes sense because I'm only monitoring the WAN and my VLAN.

Settings:

IPS Mode: Checked
Promiscuous Mode:  Checked
Pattern Matcher: Hyperscan
Interfaces: WAN; VLAN50

Download Rules: Some of the ET rules (botcc, compromised, drop, attack-response, exploit, malware, trojan, worm).

Just wondering:  Is it possible to whitelist a site for Suricata to ignore?  If I need to use an IP address, I'm assuming I could find the IP of the affected url and add that to a user defined pass list.  Any guidance would be appreciated.

Meanwhile, I am a bit confused...  :-\

As I wrote in my previous posts I had to run IPS on my VLAN Interfaces, but not on the physical interface. Otherwise I would not get DHCP leases on my VLAN Subnets an I could not connect to the internet.

Then the world turned upside down...  :o
A few days ago I had to perform several reboots after some issues with power supply. After that I was not able to get a DHCP lease with the exact config that used to work before.  So I played around a bit.  After configuring IPS running on the physical LAN interface, but not on the VLAN interfaces anymore I immediately got DHCP Leases on all of my VLAN Subnets. This seems to be stable so far.

I have no idea why the system's behaviour changed after the reboots. From my point of view this seems to be quite strange...

Hey Cajuba.  Did you upgrade to 19.7.5_5 per chance?

OK,
my tests (both Lab and Production) confirm this.
I run suricata on each VLAN and leave promiscuous mode on, and IPS works. I have tested with igb and ixl interfaces.

Thanks,
Frank

Hi Frank.

Thanks for testing this.  Just to clarify: was this on the VLANs only or also the physical LAN interface?

Yes, I can confirm this. 
Following the GUI's instructions makes VLANs unusable. My workaround is to put all devices I want to be protected by IPS into seperate VLANs / subnets and turn IPS on on these interfaces. My native non-VLAN subnet remains  "unprotected".

Is this with promiscuous mode turned on or off?

Can anybody confirm this? The GUI seems to be clear that you need promiscuous 'on' and run suricata on the physical NIC, but I have seen ppl state the opposite here in the forum.

I will try this in a lab, but with igb interfaces.

Hi GaardenZwerch.  Here is my setup:

Main SSID from AP pointing to LAN (no VLAN).
IOT SSID from AP pointing to LAN with VLAN (to separate IOT from the rest of the LAN)

I have set IPS with WAN/Main LAN with and without promiscuous mode on and off.  I have set IPS with WAN/Main LAN/IOT LAN with and without promiscuous mode on and off. 

No matter what I do, I seem to run into the same issue:  Main LAN has connectivity; IOT LAN does not.  (Note, if I select IOT LAN (with our without promiscuous mode) and hit Apply, I do get connectivity on that LAN for a while but then it loses access later.  Only selecting the Main LAN causes immediate disconnect on the IOT LAN).

If I turn IPS off, everything works (since it's only in detection mode).

Let me know if you want me to post or DM any of my setup to help in testing.

I've noticed Suricata seems to have problems with VLANS. My AP has 2 SSID's: one set with a VLAN and one without.  When I run Suricata with IPS on, I have connectivity on the SSID without a VLAN but lose connectivity on the other SSID (with the VLAN).  No matter my settings, I still lose connectivity on my VLAN connected SSID.

@loganx1121 Glad to hear you've got it working.

Using Linux is worth a shot.

When I wrote the OPNsense file to usb, I used my Mac to create an I install usb.  The file I used was OPNsense-19.7-OpenSSL-vga-amd64.img.  When I booted from the usb, there was a point in the boot process to assign interfaces.  So, I said I wanted to assign my interfaces and assigned my WAN/LAN accordingly.  The boot process finished and I was able to log in (using 192.168.1.1) and configure as needed.  I let OPNsense run for about two days before running the installer.  The great thing is, when it installs, it also installs the config.

I am in no way an expert but I'm going to ask a few questions to see if we can generate any ideas?

1. Which version of OPNsense are you using?  19.1?  19.7?

2. Are you using the 32bit or 64bit version?  I think the Gen 5 server uses Xeon processors that are 64bit but I'm not sure. 

3. Are you able to run OPNsense right from the USB drive without installing?

I've noticed a funny issue trying to set up Suricata on my LAN side, especially with regards to my IOT devices connecting to the internet (wall switches, plugs, thermostats, etc.).  Just to give some background, here's my setup:

WAN: from Google Fiber (tagged with VLAN 2 as required by GF)
LAN: does not have a VLAN tag on it.  Use this for my PC connection.
LAN.VLAN10: A separate VLAN where all of my IOT devices are connected (so that they cannot talk to the devices on the other LAN connection).

(BTW, running LEDE on an AC1750 Archer C7 as an Access Point)

OPNSense/Suricata setup:

Disable Hardware Checksum Offload:  Checked
Disable Hardware TCP Segmentation Offload:  Checked
Disable Hardware Large Receive Offload:  Checked
VLAN Hardware Filtering: I've had this on both "Leave Default" and on "Disable" for testing.

Intrusion Detection Enabled: Checked
IPS Mode:  Checked
Promiscuous Mode:  Unchecked
Interfaces:  WAN

I have no problems just on the WAN side.  However, when I try to add LAN by itself, I no longer have access to my IOT devices from outside my home and my IOT devices lose internet connectivity.  If I add LAN/LAN.VLAN10, the IOT devices connect but again I cannot control them from outside.  Once I remove LAN/LAN.VLAN10 and only have WAN selected, everything works fine.

Has anyone gotten Suricata working with IOT devices?  I'd love to get your input.

Thanks in advance.

I've noticed this too.  After an overnight shutdown (due to storms in the area), I started up my router and found Unbound didn't start.  I was able to manually start Unbound so we could get connectivity.  Is there any reason why it doesn't auto-start upon boot?