Hi,
after the update to 24.1.2 and Suricata 7 on board back again my VoIP stopped working. My VoIP phone (a Grandstream) sometimes gets a connection to my provider but no outgoing or incoming calls are posible.
Disabling Suricata brings everything back to life instantly. Enabling Suricata breaks the setup again. Nothing related is shown in the logs of Suricata or that anything is blocked. No other changes done on system just the update to update to 24.1.2.
Running without Suricata now. Any help is appreciated!
Thanks and best regards
Ingo
Hi,
same problem here with Snom Phones.
After disable IPS Mode it work fine.
Best regards
Florian
Same problem here with Yealink Dect. Rolled back to 24.1.1
Disable IPS?
Diagnosing these issues will cost a lot of time and we're not going to roll back Suricata 7 anymore.
Cheers,
Franco
Is it possible that there is a connection between this thread and the topic "Suricata - NUMA nodes" in suricata 7.0.3?
I had the same issues as desribed above as well as the errors in the log regarding the numa nodes mentioned by fadern.
After install of patch OPNsense 24.1.2_1 today my VoIP phone is working again with Suricata 7 and IPS enabled. I don't get the point but will not complain.
Can anybody confirm this?
Best regards
Ingo
same issue here ... 24.1.2 and Suricata 7 breaks VOIP for me
Quote from: itn3rd77 on February 21, 2024, 09:12:03 PM
After install of patch OPNsense 24.1.2_1 today my VoIP phone is working again with Suricata 7 and IPS enabled. I don't get the point but will not complain.
Can anybody confirm this?
I cannot confirm the behavior. I have also installed 24.1.2_1 and my VoIP was not able to connect to the service provider. After disabling IPS Mode in Suricata the phone is able to establish a connection again to the provider.
Same issue here with 24.1.2.
Updated to 21.1.2_1, restarted OPNSense does not bring VoIP back.
Then i disabled & enabled Suricata and now it is working again!
I can confirm that 24.1.2_1 makes no difference, VOIP is not working as long IPS is active.
Can you try this?
https://forum.opnsense.org/index.php?topic=38989.0
Hi,
sorry for my false positive. It does not work for me either after 21.1.2_1 :-[
I got my hands on mimugmail post and searched eve.json for my drops:
{"timestamp":"2024-02-22T07:52:13.119012+0100","flow_id":1076748976560117,"in_iface":"igb1","event_type":"drop","vlan":[42],"src_ip":"192.168.42.100","src_port":20538,"dest_ip":"185.22.44.186","dest_port":5060,"proto":"UDP","pkt_src":"wire/pcap","direction":"to_server","drop":{"len":48,"tos":104,"ttl":64,"ipid":8685,"udplen":28,"reason":"applayer error"}}
As described I added the following to /usr/local/etc/suricata/custom.yaml and restarted Suricata:
app-layer:
error-policy: ignore
No more drops in eve.json for 30 minutes and phone still connected.
I can't judge if this is harmless and the way to go. Besides that if you click "Apply" button in the UI the /usr/local/etc/suricata/custom.yaml get's overwriten with the template /usr/local/opnsense/service/templates/OPNsense/IDS/custom.yaml.sample.
What's the right way to do customizations?
Best regards and sorry again for my false positve
Ingo
Better to add a checkbox in UI
Quote from: mimugmail on February 22, 2024, 12:22:50 PM
Can you try this?
https://forum.opnsense.org/index.php?topic=38989.0
I implemented the suggestion but my phones have still a problem to connect to the provider. Not directly after the modification but after some time.
After disabling the IPS mode within seconds the phones are connected.
24.1.2_1 make no difference. IPS Mode off and all the phone work.
Quote from: mimugmail on February 22, 2024, 12:22:50 PM
Can you try this?
https://forum.opnsense.org/index.php?topic=38989.0
Just tried adding
exception-policy: ignoreto
/usr/local/opnsense/service/templates/OPNsense/IDS/custom.yaml
no more drop for VoIP now. Thanks.
I will try again 12 hours later to confirm it won't drop anymore.
I have tried the suggestion made by mimugmail but have the same result as ChrisChros - it will not work.
I got this to work only after copying the entire
app-layer: section from suricata.yaml and inserting
error-policy: ignore at the first indent - same level as
protocols:.
The Suricata 7 documentation (https://docs.suricata.io/en/suricata-7.0.2/configuration/suricata-yaml.html#splitting-configuration-in-multiple-files) states that adding
app-layer: in custom.yaml overwrites the one in suricata.yaml. I recommend anyone still having issues to try this if disabling IPS is not an option.
Quote
If the same section, say outputs is later redefined after the include statement it will overwrite the included file. Therefore any include statement at the end of the document will overwrite the already configured sections.
Just a FYI.
I have two VoIP systems behind almost identical firewall hardware (one has a couple of additional 10GB ports) running 24.1.2_1 and configured in the same way. PBX traffic is over a 1:1 NAT.
I've seen the same issue of IDS needing to be disabled on one of them but not the other.
The major difference between the two looks to be the SIP trunk provider.
any news on the problem?
Not in the exact same vein:
With upgrade to 24.1.2 and activation of Suricata 7 we saw a drastic decline in Teams throughput for all calls and video with their service. Only way we were able to circumvent was by turning off Suricata. Once it was off we saw throughput return to normal and users able to place calls with 0 lag or interference. Not sure if it assists, but hoping someone with more knowledge or within OpnSense see this thread and has a fix for next release.
This problem was addressed here https://github.com/opnsense/core/pull/7271
A suppose it will be fixed in the next update.
Yeah, 24.1.3 should address this further. It probably going to be released tomorrow.
Cheers,
Franco
RE: VOIP/SIP issues
Do a package capture on WAN while calling your number and see if there are SIP invite packages coming in from your provider.
Reboot and repeat.