Messages

I did figure out the IPv6 thing...I redid some of the clients and the addresses changed which mean that Zenarmor was treating the IPv6 stuff as "unknown" devices and applying the default policy which I have set to block unknown clients.

I did reapply zenarmor to the WG0 interface. Restarted Zenarmor and Wireguard to make sure everything was happy. Verified proper connectivity, CPU utilization spiked (as expected). There was no observable difference in CPU Utilization when in bypass mode.

Just a quick follow up...if I remove the wireguard interface from zenarmor...all is good in the world so it seems like there is something wonky going on between wireguard and zenarmor.

Hello Everyone,

Been scratching my head on this one for a few days now. The other day I noticed that my firewall's CPU utilization was running at a constant 15% even with very little traffic flowing through the system.

I restarted zenarmor and the CPU utilization dropped back down to near idle and all was good in the world...until I also noticed that I was having trouble routing IPv6 through my wireguard instance from my phone to home (I have my phone call home and route all its traffic through my home when I'm out and about).

Restarted the wireguard server instance and ipv6 started working again...and then I noticed that the CPU utilization was backup. It didn't matter if I was connected to the server or not...it was high

Restart zenarmor, cpu goes down, ipv6 stops working. Restart wireguard, cpu goes up ipv6 starts working again.

I should clarify that ipv6 on the non-wireguard stuff (so my other vlans) worked fine the entire time so it is only affecting the ipv6 setup of the wireguard instance.

I would appreciate any thoughts or ideas that the hive mind might have because I'm at a complete loss at this point.

Thanks,

~T

You could always vpn from your house to your VPS (wireguard) and then run the forward from the VPS through the VPN completely bypassing all the CGNAT stuff.

Right now I'm using Elastisearch, I have tried MongoDB thinking that maybe it would be better. I could switch back and try again but my question is...how would I disable Java then?

I've tried MongoDB with the same results.

Here we go, as expected memory utilization is climbing this morning and it looks like Java based with elasticearch and eastpect are the to two which I believe are related to ZenArmor

I just restarted the Zen engine so it will be a few hours, but as I recall the top processes are usually the database (elastisearch) and eastpect. I'll copy the output of top into here the next time it really starts to get hungry (probably this time tomorrow).

I also restarted the database engine and it cleared the swap out too...seems like something isn't releasing memory properly.

I am honestly at a loss. I really want to like Zenarmor and what it brings to the table but frankly this memory consumption issue has me about ready to uninstall it for a while.

I'm using the Elastisearch Data base (whatever the version 5 one is, but have also tried version 8). I have tried the mongoDB option. No matter what after about 2-3 days I am pretty much out of RAM and SWAP space.

I'm willing to help contribute logs, etc to whatever/whomever in order to fix this because it really is a good product, one I have considered opening my wallet for, but I just can't until this gets resolved.

Any other ideas of what I could try? Every time I change something, restart the Zen Engine, or reboot, my IPv6 prefix changes which means that DNS overrides need to be updated, firewall rules need to be updated, and my external DNS needs to be updated (yes I know I could probably automate some of this, but I haven't had time because I'm always fighting Zenarmor).

Thanks in advance,
~T

Sweet...forgive my ignorance...how do I do that?

I just dropped into terminal and tried nmap and got command not found so I'm guessing I'm not using nmap.

How did you end up dealing with this? I'm seeing the same behavior and I'm sure that I'm encountering the same problem.

The short answer is yes....

But in the end it depends on the hardware at hand.

Can you elaborate? It has 10 cores of a dual e5-2450v2 setup which turbos to 2.5 ghz. Is surricata single threaded? If so that would explain why throwing more cores at it doesn't seem to be really helping.

Did you disable all hardware offloading as the help on the IPS line warns you to do before enabling?

Yes I did

Good Day Everyone,

I have been trying to wrap my head around the Intrusion Detection system. I have attached screenshots of the configuration that I have instead of trying to explain it all. The long and the short of it is that when I have Intrusion Detection/Intrusion Prevention enabled I see the throughput of my WAN drop from 550ish to 480 or so.

I have attached screenshots of everything I can think of. Is the IDS system just that much of a power hog? If so perhaps the system requirements page needs an update to reflect this because from my understanding I should be running a lot better than I am. I do know I'm a little light on RAM that is being addressed tomorrow when my order shows up (I hope). For the observant among you this is a virtualized install with a passed through Intel dual gigabit nic.

Thanks in advance,

~T

Good call, don't know why I didn't think of that. Only instead of making a new VM I just did a fresh install like you would if it was bare metal because I can always still restore from backup.

Not only was I able to successfully upgrade to 22.7.6, my RAM utilization fell off the face of the earth. I was at 94% utilization of 8GB, now I'm at 7%. Seems to me like I ended up with a corrupted install somewhere down the line.

Now to see if maybe my IDS/IPS issues are resolved through the fresh install as well.

Thanks

~T