OPNsense Forum

Archive => 16.7 Legacy Series => Topic started by: marianh on September 07, 2016, 09:48:38 am

Title: IPS cut off GUI access from WAN
Post by: marianh on September 07, 2016, 09:48:38 am

Enabling IPS cut off GUI access from WAN. Only solution is to kill suricata process.
Cut off - ping from OPNsense to upstream gateway works but I cannot access GUI (connection timeout).
NIC: em0 - Intel Pro/1000 7.6.1 also 7.6.2.
Offloads completely disabled. No IPS rulesets loaded. No alerts.
I did packet capture and it seems that OPNsense and my workstation communicates.

Enabling IPS:
Sep 7 09:27:33    kernel: 253.050654 [ 274] generic_find_num_queues called, in txq 0 rxq 0
Sep 7 09:27:33    kernel: 253.036456 [ 266] generic_find_num_desc called, in tx 1024 rx 1024
Sep 7 09:27:33    kernel: 253.022228 [ 798] generic_netmap_dtor Restored native NA 0
Sep 7 09:27:33    kernel: 253.008023 [ 274] generic_find_num_queues called, in txq 0 rxq 0
Sep 7 09:27:33    kernel: 252.996591 [ 266] generic_find_num_desc called, in tx 1024 rx 1024
Sep 7 09:27:33    kernel: 252.979590 [ 798] generic_netmap_dtor Restored native NA 0
Sep 7 09:27:33    kernel: 252.965387 [1233] netmap_mem_global_config reconfiguring
Sep 7 09:27:33    kernel: 252.951174 [ 274] generic_find_num_queues called, in txq 0 rxq 0
Sep 7 09:27:33    kernel: 252.931346 [ 266] generic_find_num_desc called, in tx 1024 rx 1024


Disabling IPS:
Sep 7 09:28:49    kernel: 329.427691 [ 798] generic_netmap_dtor Restored native NA 0

Title: Re: IPS cut off GUI access from WAN
Post by: AdSchellevis on September 07, 2016, 08:24:41 pm

Hi marianh,

If all hardware offloading is off, you could try to use the original driver from intel.
There seem to be more issues with the ones delivered standard in FreeBSD.

If you want to try this, make sure you're running the latest version of OPNsense (if you weren't already, you should try an upgrade first).
Then execute this in the console:

Code: [Select]

pkg install intel-em-kmod

And add the following to your /boot/loader.conf:

Code: [Select]

if_em_updated_load="YES"

Eventually we will make it easier to install intel's standard.

Best regards,

Ad

Title: Re: IPS cut off GUI access from WAN
Post by: marianh on September 08, 2016, 06:34:16 am

Hi, AdSchellevis

as I wrote in my first post, I already have intel-em-kmod (7.6.2) in my system.

Title: Re: IPS cut off GUI access from WAN
Post by: franco on September 19, 2016, 12:14:55 am

What's your WAN config? PPPoE, VLAN, etc?

Title: Re: IPS cut off GUI access from WAN
Post by: marekdes on September 21, 2016, 08:15:52 pm

PPPoE - no
VLAN - no

It's even worse, it disables whole OPNsense, LAN clients cannot access internet.
I am unable to find any log which would enlighten my situation.

Title: Re: IPS cut off GUI access from WAN
Post by: franco on September 21, 2016, 08:43:51 pm

So what's your NIC driver? Your hardware platform? Which OPNsense version? What interfaces are in IPS mode? How are they configured?

Lots of things that can lead to the same result, lots of solutions, too. :)

Title: Re: IPS cut off GUI access from WAN
Post by: marekdes on September 22, 2016, 08:31:56 pm

NIC driver: Intel(R) PRO/1000 Network Connection 7.6.2
Hardware platform: amd64
OPNsense version: 16.7.3-amd64 (FreeBSD 10.3-RELEASE-p7)
What interfaces are in IPS mode: WAN
How are they configured: static IP address

Title: Re: IPS cut off GUI access from WAN
Post by: franco on September 22, 2016, 08:39:48 pm

Did you check the alert log? Maybe you have a rule that blocks your traffic. It happenes to me too sometimes when I use the custom rules...

Title: Re: IPS cut off GUI access from WAN
Post by: marekdes on September 23, 2016, 07:23:41 pm

Quote from: franco on September 22, 2016, 08:39:48 pm

Did you check the alert log?

Yes

Quote from: franco on September 22, 2016, 08:39:48 pm

Maybe you have a rule that blocks your traffic.

No, I have not.

Title: Re: IPS cut off GUI access from WAN
Post by: Ciprian on May 30, 2017, 03:57:14 pm

Hello!
I know it's a long time since last reply to this post, but I have the same problem, meaning, the same output on console.

I can't activate IPS without network services like RDP (windows mstsc) connections or Veeam backups to not become unstable, and slow.
RDP sometimes connect, sometime doesn't, during connection initiation I see loops of "Initiating remote connection" <-> "Configuring remote connection".
Veeam backups never reaches peak performance, transfer in between the server being backed up and data storage is almost all the time at a bare minimum, with a short spike of up to 10% of the transfer speed without IPS.

I use OPNsense in a virtual environment, Vmware ESXi 5.0. Tried E1000 virtual NICs, VMXNET3... I double checked that hardware offloading to be OFF including VLANs... I don't know what else to try.

Is there anyone that managed to use OPNsense + Suricata successfully on a virtual Vmware environment? What should be done, what are the appropriate settings?

Thank you very much!

Title: Re: IPS cut off GUI access from WAN
Post by: Ciprian on June 09, 2017, 11:09:54 am

UPDATE:

Regarding this:

Quote

RDP sometimes connect, sometime doesn't, during connection initiation I see loops of "Initiating remote connection" <-> "Configuring remote connection".

It took me a while, but I found out that having "Emerging-dos" ruleset activated put a big dent on RDP connections. I haven't find the time to further isolate to a particular rule (or rules) in that ruleset, but it's definitely "emerging-dos" ruleset that is creating my problems.

Also, when I find the time to dig further, I will try to isolate the rule(set) cousing problem with Veeam BKP transfers:

Quote

Veeam backups never reaches peak performance, transfer in between the server being backed up and data storage is almost all the time at a bare minimum, with a short spike of up to 10% of the transfer speed without IPS.

Anyway, I am pretty sure now that not Suricata itself is the culprit of my network problems, but some ET rules (rulesets).