OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: hightechrdn on December 30, 2017, 09:16:35 pm

Title: Intrusion Detection plus IPS enabled plus vrtio = blocked network traffic
Post by: hightechrdn on December 30, 2017, 09:16:35 pm

Note: I originally replied to this thread https://forum.opnsense.org/index.php?topic=5173.0 (https://forum.opnsense.org/index.php?topic=5173.0) as it describes the same symptoms as I am facing. However, I now see that the thread is in the 17.1 Legacy subforum and I am using the latest stable OPNsense release so this subforum seemed like a better location.

--------
Guest VM running OPNsense 17.7.11. The host is running Proxmox 5.1. Everything was installed in the last few days so a fairly clean, out of the box configuration.

OPNSense VM is configured as an Internet router (standard auto NAT setup), one interface on the LAN and the other interface on the WAN. Both are bridged to dedicated host interfaces. Network devices are set to vrtio in the VM configuration.

Network device HW offloading is disabled in OPNSense. I also have TX offload disabled at the host level using ethtool.

As soon as IPS is enabled, traffic through the router and from the VM itself to the WAN basically stops. tcpdump on the WAN interface shows a few packets but only a very small % of what should be there. Packets reported by tcpdump are truncated, each missing a different number of bytes.

Behavior is the same even with no IPS/IDS rules enabled. Disabling IPS restores full network functionality. If the network devices are switched to E1000, IPS works correctly and network traffic is forwarded/NAT'd but CPU utilization goes up dramatically.

I am upgrading my Internet connection from 50Mbps to 200Mbps next week so concerned OPNSense isn't going to get the job done, at least not without throwing a lot of HW/energy at the problem.

Has anyone found a solution to this problem which appears to be caused when using IPS with vrtio driver/devices?

Title: Re: Intrusion Detection plus IPS enabled plus vrtio = blocked network traffic
Post by: mimugmail on December 31, 2017, 06:42:32 am

No, this is sadly still an open issue  :'(

Title: Re: Intrusion Detection plus IPS enabled plus vrtio = blocked network traffic
Post by: hightechrdn on January 03, 2018, 12:32:13 am

Is the cause of the problem known at this point in time? More specifically, is the issue specific to OPNsense or is it an upstream problem with one of the components used by OPNsense (ex: Suricatta, vrtio driver, Linux network stack, etc.)?

Title: Re: Intrusion Detection plus IPS enabled plus vrtio = blocked network traffic
Post by: mimugmail on January 03, 2018, 06:36:50 am

It's the FreeBSD VirtIO driver ..

Title: Re: Intrusion Detection plus IPS enabled plus vrtio = blocked network traffic
Post by: franco on January 04, 2018, 09:19:47 pm

Use the e1000 emulation.


Cheers,
Franco