OPNsense Forum

Archive => 17.7 Legacy Series => Topic started by: remd on August 10, 2017, 12:52:56 pm

Title: SOLVED - IDS/IPS conf/issue
Post by: remd on August 10, 2017, 12:52:56 pm
I've checked some documentation about IDS/IPS like here: https://docs.opnsense.org/manual/ips.html
But so far I haven't been able to get IDS/IPS to work.

I've enabled it (tried both pattern matchers) only on the main gateway and with a minimal set of rules from abuse.ch, but every-time I enable it I cannot connect anymore to the internet. It seems to block everything.
The firewall logs show that the pings are allowed to pass and I don't see any related logs in the IDS Alerts, only Allowed actions for other traffic, also I don't see anything in the packet capture (even in promiscuous) so at this point I don't know why all connections are blocked as soon as I enable the IDS/IPS ?

Does anyone have an idea what could be wrong, or instructions ?
Title: Re: IDS/IPS conf/issue
Post by: hutiucip on August 10, 2017, 03:13:37 pm
It might be related to DNS traffic problems caused by enabling IPS: there are multiple posts claiming that enabling IPS tempers with and heavily impacts DNS traffic.

So, try and see if IDS only works for you, or if it seams to be "everything blocked" as almost "everything" on the internet relies on DNS.
Title: Re: IDS/IPS conf/issue
Post by: remd on August 10, 2017, 03:58:18 pm
Thanks for your suggestion.
In the mean time I've tried only IDS and it works. So the problem starts when I enable the IPS.

There could also be a DNS problem, but even if I ping an IP outside it cannot reach it, so its not only a DNS issue.
Title: Re: IDS/IPS conf/issue
Post by: remd on August 10, 2017, 04:24:05 pm
I've enabled logging in syslog as well to see if anything comes up.
I don't see anything in the logs other than allowing the icmp package to pass.
for example if I try to ping google using an ip - 216.58.206.68 , which responds fine with just the ids on.

I also tried to go to the command line and grep -rn 216.58.206.68 in the /var/log/ folder to see if it would appear anywhere, and it only appeared in the filter log:
"Aug 10 16:17:27 mm-0020 filterlog: 78,,,0,igb1,match,pass,out,4,0x0,,64,56740,0,none,1,icmp,84,192.168.250.1,216.58.206.68,datalength
=64
"

The ping result:
PING 216.58.206.68 (216.58.206.68): 56 data bytes

--- 216.58.206.68 ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss
ping: sendto: Invalid argument
ping: sendto: Invalid argument
ping: sendto: Invalid argument
Title: Re: IDS/IPS conf/issue
Post by: remd on August 10, 2017, 05:17:43 pm
maybe another indication when I try to do a name resolution in command line I get this error:

drill www.google.com
Error: error sending query: Error creating socket

or drill www.google.com @internal_dns_server_ip
Error: error sending query: Could not send or receive, because of network error

(drill seems to be like dig on freebsd)

Again this works fine as long as I don't have the IPS enabled
Title: SOLVED - Re: IDS/IPS conf/issue
Post by: remd on August 10, 2017, 07:12:51 pm
I've noticed this in the system logs:
"Aug 10 15:38:25 mm-0020 kernel: arpresolve: can't allocate llinfo for 192.168.201.1 on igb1"

Which means that the gateway is not on the LAN subnet and should be set as a "Far Gateway"
Once I've enabled that setting on the gateway it started to work.

Now why I only have this problem when the IPS is on I don't know, maybe because it is forcing packages to go through a particular range that cannot reach that gateway... ?

In any case this issue is solved for now.