OPNsense Forum
English Forums => General Discussion => Topic started by: nospam on June 28, 2018, 03:21:47 pm
-
I recently installed OPNsense 18.1.8-i386 after my IPFIRE system got corrupt after an update.
After getting the system configured I let it do an update to OPNsense 18.1.10-i386.
What I'm finding is that Suricata is causing my download bandwidth go from 40Mbit with Suricata disabled to 4Mbit with it enabled. The other problem I am finding is that my ping times to my firewall start to increase from 0.3ms average to 10,000+ms and it starts dropping packets and eventually the firewall locks up and becomes unresponsive. Stopping Suricata makes everything run well again.
I am running OPNsense 18.1.10-i386 on a Intel(R) Celeron(R) CPU N3150 @ 1.60GHz (4 cores) with 16GB RAM and 120GB SSD.
I'm not sure if I was getting network slowdowns with Suricata prior to the update. I tried re-installing Suricata but it doesn't make a difference.
I'm at the point of either a complete re-install back to 18.1.8 to test the difference or going back to IPFIRE or PFSENSE. So far I like many of the OPNSENSE features but Suricata unstability is a deal breaker for me.
Has anybody else seen this issue?
I was running 4 rules under Suricata which is monitoring LAN+WAN traffic:
1. Alert for incoming packets to countries other than US/CA
2. Alert for outgoing packets to countries other than US/CA
3. Drop incoming packets from a list of countries like CHINA, Africa, Middle East, Eastern Europe
4. Drop outgoing packets from a list of countries like CHINA, Africa, Middle East, Eastern Europe
The other odd part was that Suricata was Alerting for rule 1+2 for all LAN IP . Is there a way to exclude private IP LAN traffic from rules 1+2 from being flagged in the country codes? I want Suricata to tell me which IP addresses on my LAN are trying to make connections to black listed countries.
-
Just as an update...
I changed update servers (from NY to NL) and a bunch of updates appeared. I first restored to an older backup then performed the updates. After the updates I re-enabled features one by one and now suricata appears to be working as expected. I eliminated rules 1+2 and all appears to be working better with ping times now 40-80ms and download speeds back to 40Mbit.
-
I am running OPNsense 18.1.10-i386 on a Intel(R) Celeron(R) CPU N3150 @ 1.60GHz (4 cores) with 16GB RAM and 120GB SSD.
Hi,
why do you install the i386 (32Bit) OPNsense on a 64-Bit CPU? It is working but a 32Bit-system can't use more than 4GB of RAM.
And AFAIK the Intel Celeron N3150 supports a max. memory size of 8GB RAM.
best regards
Dirk
-
why do you install the i386 (32Bit) OPNsense on a 64-Bit CPU?
probably because I'm old school used to seeing x86_64 or x64 binary labels in distros because I still have pre-conceived incompatibility notions between AMD and intel chipsets
And AFAIK the Intel Celeron N3150 supports a max. memory size of 8GB RAM
What's your direct email address? How good is your mandarin/cantonese? I'm going to write a letter to Amazon asking their vendor to contact you regarding their pre-canned systems being sold online as "BSD" compatible systems with too much advertised RAM and wireless hardware having no working BSD drivers...