OPNsense Forum

Archive => 17.1 Legacy Series => Topic started by: steverino on May 15, 2017, 01:39:13 am

Title: Intrusion Detection w/ IPS enabled = nothing works
Post by: steverino on May 15, 2017, 01:39:13 am

Hello, I'm having a strange issue when I enable Intrusion Detection and IPS.

When both are enabled, my port forwards are no longer open (tested via port scan from outside of the network) and none of my websites resolve/load within the local network. I notice when I enable Intrusion Detection with IPS mode enabled, there are a few lines of code that scroll past on the console. I've attached a screenshot.

In the screenshot...
-> The white lines show up when IDS/IPS is enabled. At this point, no traffic flows to client machines (websites sit loading/spinning) and port forwards disappear from outside.
-> The last line at the bottom shows up when IDS/IPS is disabled. Then, all 'stuck' website queries/traffic suddenly shows up and ports are re-opened on the outside.

A little bit about my environment:
-Proxmox (5 BETA) host w/ bridged ports from a dual nic (RTL8111 chipset) (host is Xeon 1240, can't do passthrough)
-OPNsense 17.1.6-amd64
-Hardware CRC, TSO, LRO, and VLAN filtering all disabled
-IDS enabled on the WAN port
-the general array of 'default'/already enabled/disabled rules still checked/unchecked

I'd much prefer being able to enable Intrusion Detection and IPS  :P  but it's strange that nothing else seems to work when they are... Any ideas?

Title: Re: Intrusion Detection w/ IPS enabled = nothing works
Post by: Manxmann on May 30, 2017, 02:49:22 pm

I've had a similar issue with ProxMox 4.4, eventually put the issue down to buggy VirtIO nic drivers in FreeBSD.

Moving my exact same config (Back/restore) to physical hardware with Intel e1000 style nics and everything works.

Have you tried changing the Nic type to e1000?

Title: Re: Intrusion Detection w/ IPS enabled = nothing works
Post by: mimugmail on May 30, 2017, 03:10:42 pm

I have the same issue with ProfitBricks which runs OpenStack ...

Title: Re: Intrusion Detection w/ IPS enabled = nothing works
Post by: michaelvv on June 29, 2017, 05:28:44 am

Same issue on proxmox 4.3.x , but if I change to E1000 it works without any problems.

But E1000 is a CPUHOOG in KVM compared to Virtuo... So it's really a showstopper.

Haven't had any issues with PfSense and virtuo since FreeBsd version 9.1 , so why is the virtuo
driver buggy and broken now ???

Best Michael.

Title: Re: Intrusion Detection w/ IPS enabled = nothing works
Post by: hightechrdn on December 30, 2017, 07:25:24 am

Removing my reply as I decided it was better to create a new thread "Intrusion Detection plus IPS enabled plus vrtio = blocked network traffic" in the IDS/IPS subforum since I am using the current stable version of OPNsense (17.7.11), not a Legacy version.

 https://forum.opnsense.org/index.php?topic=6737.0 (https://forum.opnsense.org/index.php?topic=6737.0)