I just upgraded to 24.1 without changing any settings.
After the update when suricata service is running all the internet freezes. Hardware offloading is disabled, even re-enabling and disabling it doesnt work.
Any ideas where the problem might be?
Thanks.
maybe the same as it was ~6 months back when i was testing Suricata7.
https://forum.opnsense.org/index.php?topic=34997.msg
https://forum.opnsense.org/index.php?topic=35130.msg
IPS mode I guess? Same same, but different every time. These things are hard to trace up front.
Cheers,
Franco
it even happens when only ids is enabled and no ips. I'll try the configs from danderson
I have the same issue after upgrading to 24.1.
The Egress connection to Internet work for a couple of minutes when starting the firewall. After this period the traffic to outside stops. After disabling IPS (suricata) the connections are restored. In my case IPS is enabled on the WAN interface.
I have changed my custom file with the help with this post. Now it looks stable for a couple of minutes.
https://forum.opnsense.org/index.php?topic=35130.msg
I must report the same issues.
Having suricata running breaks the connection.
When connected to the opnsense console i can ping 1.1 through the igb interface. But not to lan (lacp lagg with ixl interfaces)
Quote from: seed on January 30, 2024, 06:36:47 PM
I must report the same issues.
Having suricata running breaks the connection.
When connected to the opnsense console i can ping 1.1 through the igb interface. But not to lan (lacp lagg with ixl interfaces)
Adding:
stream.midstream-policy: ignore
http2:
enabled: yes
quic:
enabled: yesto /usr/local/opnsense/service/templates/OPNsense/IDS/custom.yaml fixed the issue as described in the upper post.
Looks like a little hotfix must be released.
Same issue here.
Running IPS on the LAN side.
Web-gui get unresponsive after a few minutes and the network works as crap.
Igb interfaces.
Quote from: seed on January 30, 2024, 06:46:34 PM
Quote from: seed on January 30, 2024, 06:36:47 PM
I must report the same issues.
Having suricata running breaks the connection.
When connected to the opnsense console i can ping 1.1 through the igb interface. But not to lan (lacp lagg with ixl interfaces)
Adding:
stream.midstream-policy: ignore
http2:
enabled: yes
quic:
enabled: yes
to /usr/local/opnsense/service/templates/OPNsense/IDS/custom.yaml fixed the issue as described in the upper post.
Looks like a little hotfix must be released.
Even with the fix applied i have problems reaching my servers by http/https.
I disabled suricata for now.
Same issue. I have a very new installation from a few days ago. Suricata was enabled in IPS mode. I had only one rule set downloading for testing. After the upgrade, it seemed like most TCP traffic wasn't working through the firewall. DNS resolution with unbound was working fine. Echo requests/replies were working fine. I could load some things, but definitely not most. On a hunch, I eventually stopped Suricata and everything started working. I've just disabled it for now until I know what's going on.
Same issue here, disabling Suricata works. It was on IPS on WAN interface.
What is weird is that the same issue occurs with Crowdsec.
Same issue here but strangely enough only on 1 of the 2 WAN connections?!
The 'standard' WAN interface (igb0) stopped working but the other fiber interface (pppoe0) continued working. Both interfaces are in my Suricata interfaces list...
Hello,
same issue here.
after disabling suricata everything is stable again.
as soon as suricata is enabled the web interface freezes about 4 - 5 minutes later, no traffic goes through.
Versions OPNsense 24.1-amd64
Protectli FW4C
For me, disabling Surricata is not enough. IPv4 WAN is complety dead, IPv6 still works. Unbound cant resolve anything but has IPv4 and IPv6 upstream servers.
Update: the system has no IPv4 default gateway anymore.
I have the same issue, even with the addition to the custom.yaml. Disabled suricata for now and all working.
Quote from: seed on January 30, 2024, 07:42:46 PM
Quote from: seed on January 30, 2024, 06:46:34 PM
Quote from: seed on January 30, 2024, 06:36:47 PM
I must report the same issues.
Having suricata running breaks the connection.
When connected to the opnsense console i can ping 1.1 through the igb interface. But not to lan (lacp lagg with ixl interfaces)
Adding:
stream.midstream-policy: ignore
http2:
enabled: yes
quic:
enabled: yes
to /usr/local/opnsense/service/templates/OPNsense/IDS/custom.yaml fixed the issue as described in the upper post.
Looks like a little hotfix must be released.
Even with the fix applied i have problems reaching my servers by http/https.
I disabled suricata for now.
I've spread this message out over our communication channels:
Suricata 7 appears to have severe issues with Netmap mode, alerting is likely affected. We'll be reverting back to Suricata 6 tomorrow and recommend disabling IPS mode on 24.1 for now. Best done prior to executing the upgrade!
Cheers,
Franco
I have the same issue after upgrading to 24.1. Disable all is okay.
Sparkey
Same issue with me.
Disabling IDS OPNsense started working again. Hope a fix is developed soon.
Same here, had to disable it.
Going out on a limb here franco, sorry, I know you are the maintainer of the package, is it compiled with --enable-netmap?
I don't see it in Makefile of the master branch.
https://docs.suricata.io/en/suricata-7.0.2/capture-hardware/netmap.html
"To build Suricata with NETMAP, add --enable-netmap to the configure line. The location of the NETMAP includes (/usr/src/sys/net/) does not have to be specified."
The fix worked for me with no issues but only after rebooting.
Quote from: seed on January 30, 2024, 07:42:46 PM
Quote from: seed on January 30, 2024, 06:46:34 PM
Quote from: seed on January 30, 2024, 06:36:47 PM
I must report the same issues.
Having suricata running breaks the connection.
When connected to the opnsense console i can ping 1.1 through the igb interface. But not to lan (lacp lagg with ixl interfaces)
Adding:
stream.midstream-policy: ignore
http2:
enabled: yes
quic:
enabled: yes
to /usr/local/opnsense/service/templates/OPNsense/IDS/custom.yaml fixed the issue as described in the upper post.
Looks like a little hotfix must be released.
Even with the fix applied i have problems reaching my servers by http/https.
I disabled suricata for now.
Thank you for pointing out this issue! Just wasted the last hour ripping apart my config and disabling every setting except IDS....
Same Here will be waiting for fix and checking on forum. Gonna do testing and make sure it is fixed with update then revert to snapshot before update and redo update when fixed to ensure everything goes smooth with updating to 24.
I've tried the solution mentioned in this thread, this doesn't resolve the issue.
Only working solution is to disable IPS option, Intrustion detection can remain Enabled (basically you know if something got in, but you didn't block it)
Tried the following without luck
- ET removal = nok
- removing all rules = nok
- reinstalling suricata = nok
- delayed start = nok
- removed internet WAN from blocking = nok (so IPS was only working on server WAN ip, all client internet traffic was unblocked/monitored)
- the fix mentioned in this thread
a hotfix with a downgrade, back to Suricata 6 seems the way to go.
Go TEAM OPNsense!
I have two boxes running nearly the same config. IPS is enabled on both boxes.
One are suffering from this issue and the other one is running fine. Both are based on Intel.
Meanwhile Suricata has been rolled back from 7 to 6 anyway. Making broad statements with ambiguous context doesn't help.
Cheers,
Franco
I hope it isn't postponed to somewhere in six months. Without any logs on hand it seems difficult to open a bugreport in the suricata github.
Edit: i meant the release of suricata 7. not the release of the rollback.
Version 24.1_1 fixed IPS once I did a reboot. Thank you for the rollback
@seedL: the development version still has Suricata 7. It has had it for a year now. Reports and problems have been very sparse so far. Actually, we don't know if it got worse somwhere between 7 RC1 where we started testing it, but it's not an immediate priority after the rollback. We will pick this up next week and see.
Cheers,
Franco
Quote from: franco on January 31, 2024, 12:54:40 PM
Meanwhile Suricata has been rolled back from 7 to 6 anyway.
I never had Suricata installed, but it seems that 24.1_1 forced the package to install. Was this intended behavior?
Quote from: sdjme on January 31, 2024, 04:50:42 PM
I never had Suricata installed, but it seems that 24.1_1 forced the package to install. Was this intended behavior?
Suricata is there as part of the base install. Services > Intrusion Detection.
Quote from: sdjme on January 31, 2024, 04:50:42 PM
Quote from: franco on January 31, 2024, 12:54:40 PM
Meanwhile Suricata has been rolled back from 7 to 6 anyway.
I never had Suricata installed, but it seems that 24.1_1 forced the package to install. Was this intended behavior?
If you look at the update log it will tell you it switched "suricata" package for "suricata-stable", so merely a switch, not really a "forced" install. Everything can be "forced" by means of dependencies, but that's exactly what it's supposed to do, maybe "enforcing" is better. ;)
Cheers,
Franco
Is this issue really fixed for 24.1_1? it looks like unbound still fails from time to time. I cannot reproduce it yet but i still get random dns resolution errors. All started with 24.1.
What's the connection between Suricata and Unbound?
Cheers,
Franco
My bad the issue lies somewhere else, nothing to do with IDS.