Alright I've been troubleshooting this for two days now and I'm completely out of ideas as to what could be wrong at this point. I've tried various Youtube videos, guides on the internet, searches through this forum(nothing quite fit this issue), and LLM chats. I'll dump as much info as I can remember but if there's anything extra I can show/provide, just let me know and I'll be happy to add it. The issue is that I am using the Divert(IPS) capture mode through Intrusion Detection, however even with settings enabled and my particular test method set to drop in the rules, it simply refuses to drop. To note, the IDS aspect seems to be working as I go into Intrusion Detection > Administration > Alerts and I find alerts from Steam and Discord from my computer on my LAN network so it just seems to be the IPS aspect that is failing.
I do not know if this is happening because of my specific test method or because something else is wrong and at this point I'm at a loss. I will preface that I used Google and ChatGPT in the set up and troubleshooting process when I stopped getting results in normal search and am not experienced with Opnsense so it's pretty likely that I've just configured something wrong. I initially configured based on videos and manual documents, had some initial issues with general networking that I resolved and some configuration issues on the IDS side but most of that seems to be straightened out. I'll add as much as I can think of for my set up and specs below but if there's anything else that would help, I'm happy to provide.
Hardware:Sophos XG 210 Rev. 3, upgraded to i5-6500 CPU, 8GB RAM, factory Intel interface for the ports.
ISP: Spectrum
Firmware:OPNsense 26.1.8_5-amd64
FreeBSD 14.3-RELEASE-p12
OpenSSL 3.0.20
LAN connection:-Wired through a Netgear SG108 8 port unmanaged switch for traffic to my PC, Synology NAS and Proxmox server, subnet 192.168.1.0/24
WAN connection:-Direct from my Arris Surfboard SBG7400AC2 running in bridge mode so it doesn't handle anything but Coax to ethernet
OPT1/Wifi:-Being used to run dedicated WIFI on a different subnet, will work on VLAN options for IoT later but for now, just WIFI and no VLAN anywhere else in the network. Ethernet running to WAN port on a Netgear R6900v2 router, handling DHCP for connected devices, subnet 192.168.2.0/24
-Remaining ports not yet configured.
System configuration:- -System is mostly default, I do have two gateways though. I believe the first which is WAN_DHCP gateway was configured with the wizard during initial setup since my ISP does DHCP. Second is a gateway configured for the Netgear router and configured at 192.168.3.2.
- -I've also got a single route configured for the WIFI using 192.168.2.0/24 as the network address and the above gateway for the configured gateway.
- -I also have SSH, root login, and password login enabled for testing purposes but once fully deployed, those will be disabled. Probably not relevant but just throwing it out there.
- -I do have some cron jobs set up as well to keep my GeoIP database and Unbound DNS blocklists updated as well as one to update and reload IDS rules.
Interfaces:- -LAN: Only changes from default are IPv4 Configuration Type: Static IPv4 and IPv4 Address: 192.168.1.1/24, DHCP is being handled by Kea DHCP.
- -WAN: Block private networks: enabled, Block bogon networks: enabled, IPv4 Configuration Type: DHCP so it can be assigned by ISP.
- -WIFI: IPv4 Configuration Type: Static IPv4, IPv4 address: 192.168.3.1/24, static for route and gateway so it can handle its own DHCP.
- -Settings: Disabled hardware checksum offload: checked, Disabled hardware TCP segmentation offload: checked, Disable hardware large receive offload: checked, VLAN hardware filtering: Disabled
Firewall:- -Aliases: I have some aliases set up to forward ports to some of my servers since one of the Proxmox containers is a game server host and occasionally needs new ports forwarded. This also handles my GeoIP blocked countries and port forwarding to my Nginx Proxy Manager container. I don't think these will be relevant but if so, let me know and I'll provide detailed settings.
- -NAT>Destination NAT: I have some NAT rules here to route ports to the appropriate servers(Jellyfin, Synology NAS, Game server, Element-Synapse, Nginx)
- -Rules[new]: If I had to guess, this is probably where my problem is, I'll provide my rule order below.
-----TOP-----
LAN UDP Rule: Special rule sending syslog from my Nginx server to the firewall on port 5140 for blocking purposes
DROP>WAN>SOURCE:Blocked_Countries
- Interface: WAN, Quick: checked, Action: Block, Direction: In, Protocol: any, Source: Blocked_Countries, Destination: any, Divert-to: none, State type: Keep, all else: default.
DROP>WAN>SOURCE:CrowdSec_Blocklists
- Interface: WAN, Quick: checked, Action: Block, Direction: In, Protocol: any, Source: CrowdSec_Blocklists, Destination: any, Divert-to: none, State type: Keep, all else: default.
PASS>WIFI>SOURCE: 192.168.3.0/24>WIFI IPS Rule
- Interface: WIFI, Quick: Unchecked, Action: Pass, Direction: In, Protocol: TCP, Source: Single Network:192.168.3.0/24, Destination: any, TCP flags any: Checked, Divert-to: Intrusion Detection, State type: Sloppy, all else: default.
PASS>WIFI>SOURCE: 192.168.3.0/24>WIFI Inbound Rule
- Interface: WIFI, Quick: Checked, Action: Pass, Direction: In, Protocol: Any, Source: Single Network:192.168.3.0/24, Destination: any, TCP flags any: Unchecked, Divert-to: None, State type: Keep, all else: default.
PASS>LAN>SOURCE: LAN network>LAN IPS Rule
- Interface: LAN, Quick: Checked, Action: Pass, Direction: In, Protocol: TCP, Source: LAN network, Destination: any, TCP flags any: Checked, Divert-to: Intrusion Detection, State type: No state, Disable reply-to: Checked, all else: default.
PASS>LAN>SOURCE: 192.168.1.0/24>LAN Inbound Rule
- Interface: LAN, Quick: Checked, Action: Pass, Direction: In, Protocol: TCP, Source: Single Network:192.168.1.0/24, Destination: any, TCP flags any: Unchecked, Divert-to: None, State type: Keep, all else: default.
Services:I've done configurations to CrowdSec, Dynamic DNS, Kea DHCP, and Unbound DNS in addition to the Intrusion Detection but I'm not certain that is relevant so I'll spare you the clutter. Let me know if it is and I can provide any relevant info.
-Intrusion Detection>Settings:- Enabled: Checked, Capture mode: Divert(IPS), Listeners: 1, Pattern matcher: Hyperscan, Home networks: 1.0/24 and 2.0/24 on top of the defaults it adds, All else: default
-Download:- Abuse.ch/SSL fingerprint and IP blacklists: Enabled + Installed, ET Open lists: Enabled + Installed, OPNsense-App-detect: Enabled + Installed
-Rules:- Currently only 4 set to drop, all others set to alert only. Drop: Emerging-malware.rules, opnsense.test.rules(OPNsense test eicar virus), local.rules(BLOCK TESTMYNIDS)
-User defined:-Alerts:- This part tells me it is at least working in IDS as it has been detecting Steam and Discord from my main PC, Alert: ET USER_AGENTS Steam HTTP Client User-Agent, ET INFO Observed Discord Domain (discord .com in TLS SNI), ET INFO Observed UA-CPU Header, ET INFO GNU/Linux APT User-Agent Outbound likely related to package management, GPL ATTACK_RESPONSE id check returned root
-Policy:I believe that is all the relevant firewall info but let me know if I can add anything else to help. From here, ChatGPT and Google had me testing through SSH a lot, particularly with these three curl commands:
curl http://testmynids.org/
curl http://testmynids.org/uid/eicar.com
curl http://testmynids.org/uid/index.html
I was using those to monitor the eve.json(tail -f /var/log/suricata/eve.json) through SSH to see if Eicar would be flagged. I confirmed Suricata was running, rules loaded, the policies were enabled, PF was stable, and the divert rules existed but eve.json never caught the test traffic and every attempt to curl succeeded. Notably, there were even times where the curl for eicar.com and index.html would hang for about 7 seconds, I would hear the fan on my firewall spin up, then it would return the info so it appears it was actively inspecting the traffic but never stopping it.
I think I'm about out of info to dump but I do want to point out something about the rules too. I ended up testing a lot of different rule settings and primarily with just the LAN and WAN interfaces to eliminate any possible problems from the Netgear router. I tried Quick checked and unchecked, protocol as any and TCP, TCP flags any checked and unchecked, state type as keep, sloppy, and none, disable reply-to checked and unchecked, and the interfaces set to the individual interfaces as well as fresh floating rule with WAN and LAN so it would be at the top as well as all the above setting changes to the floating as well. I never created a rule under the old Rules section but I do see some present so I presume it generates them in both places. I think that's all I have right now but again, anything else that can help you in helping me, just let me know
Thanks for any help you can give,
Dubbz