OPNsense Forum
Archive => 16.1 Legacy Series => Topic started by: Joerg on June 15, 2016, 11:05:48 am
-
Hi,
I'm using the actual updated OPNsense on a ZOTAC-CI323nano cube. Configured physical WAN Interface and one LAN Interface with some VLANS.
So far the Performance is really great.
As soon I activate the Intrusion Detection IPS mode the download rate goes down by 30%.
The CPU load is below 20% then.
In case I activate the abuse.ch/* rules the Internet Connection will drop after a few minutes. In the alert tab I do not see any drop packets.
Any Idea or in which area I should look?
-
In my experience lack of RAM is usually the killer with IPS, how much RAM is on your system?
-
I'm using 8068 MB
I tested it again. starting a download will not raise the Memory usage wich is at 10%. It seem's that simply the WAN intreface Status says offline.
-
I'm using 8068 MB
I guess that should be enough :D
Are you actually using it as an IDS or have you enabled IPS mode and how many rules are you checking and blocking (is it just the ones you mentioned earlier)? I've used this on an ESXi VM with 2GB of RAM without any great problems, I'm not a developer so I'm really just asking for a bit of clarification of what you're doing.
-
I just use the rulesets
abuse.ch/Dyre SSL IPBL
abuse.ch/Feodo Tracker
abuse.ch/SSL Fingerprint Blacklist
abuse.ch/SSL IP Blacklist
this of course loaded 2294 Rules.
-
So I just test it again.
As soon I activate IPS mode the WAN Interface will go offline in less than 4 minutes.
Are there some logfiles or settings which I can check?
-
Just to be sure: Did you disable all hardware offloading?
If so it could be that the network chip is not very well supported by Netmap, can you tell us what network chip is in that device?
-
So far I found out that there is an Realtek RTL8111/8168/8169/8411 chip inside. I found this in the Net so I can check when I'm home. Or is there a way to see that?
And of course I disable all Hardware offloading. :P
-
This is the Output of the Log this morning in the GUI:
Jun 16 08:17:38 apinger: alarm canceled: VLAN11_USGW(192.168.2.1) *** down ***
Jun 16 08:17:37 apinger: alarm canceled: WANGW(MY-WANIP) *** down ***
Jun 16 08:17:10 apinger: ALARM: WANGW(MY-WANIP) *** down ***
Jun 16 08:12:17 apinger: alarm canceled: WANGW(MY-WANIP) *** down ***
Jun 16 08:09:34 apinger: ALARM: VLAN11_USGW(192.168.2.1) *** down ***
Jun 16 08:09:33 apinger: ALARM: WANGW(MY-WANIP) *** down ***
-
Hi Jörg,
There were several threads where Realtek turned out to be a let down and only replacing the NICs helped amend the system, e.g.:
https://forum.opnsense.org/index.php?topic=2306
Cheers,
Franco