1
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
2
Intrusion Detection and Prevention / Suricata 5.0.5_1 - SIP fax transmission failing
« on: February 26, 2021, 08:30:18 pm »
Here my observation with 5.0.5_1 version.
Updated suricata 5.0.5_1 by installing OPNsense 21.1.2 update.
(Suricata monitors WAN1 (of 2 available WAN ports) only in IPS mode. Asterisk Fax Server and physical Fax machine with ATA are connected to a separate LAN and traffic of these devices is routed through WAN2 (both LAN and WAN2 are not monitored with suricata)).
Almost all attempts to send or receive faxes failed with various error messages on the fax server and the real fax machine shows "communication error". Only few faxes could be sent, with some lines missing. SIP telephony works flawless (without hearable glitches).
I suspect UDP packet loss or delay (maybe high system load?).
Reverting back to 5.0.5 immediately solves the problem.
Walter
Updated suricata 5.0.5_1 by installing OPNsense 21.1.2 update.
(Suricata monitors WAN1 (of 2 available WAN ports) only in IPS mode. Asterisk Fax Server and physical Fax machine with ATA are connected to a separate LAN and traffic of these devices is routed through WAN2 (both LAN and WAN2 are not monitored with suricata)).
Almost all attempts to send or receive faxes failed with various error messages on the fax server and the real fax machine shows "communication error". Only few faxes could be sent, with some lines missing. SIP telephony works flawless (without hearable glitches).
I suspect UDP packet loss or delay (maybe high system load?).
Reverting back to 5.0.5 immediately solves the problem.
Walter
3
Intrusion Detection and Prevention / Re: IPS interferes with internal LAN traffic
« on: November 14, 2020, 10:50:34 pm »
Hi Chemlud.
I checked the log -> the interfaces were up all the time.
I checked the log -> the interfaces were up all the time.
4
Intrusion Detection and Prevention / IPS interferes with internal LAN traffic
« on: November 14, 2020, 08:14:30 pm »
I'm using OPNsense 20.7 as router between a LAN and WAN and Suricata is activated in IPS mode on the LAN interface only.
As soon as IPS mode is enabled and traffic within the LAN increases, I'm faced with strange delays in transmission between different PCs within the LAN. Simple requests to our servers, that are usually answered within milliseconds, suddenly can take up to several seconds or even time out.
Please note that I am talking about problems with communication WITHIN the LAN subnet, not connections that are routed through OPNsense!
It is very hard to tell, but I think this mostly affects communication with virtualized servers (running in ProxmoxVE KVM environments), where several server VMs share a single NIC for communication. I am running 2 physical Proxmox VE machines with several VMs each. The problem is observed with both machines. But at times, even access to the OPNsense Web interface is slowed down.
All PCs, servers and devices in the LAN subnet are configured with static IPs. The whole setup can work without any router attached.
I am using a 24 port unmanaged switch with most devices and OPNsense attached directly, but there are also some devices connected to cascaded switches (all unmanaged). OPNsense runs on a supermicro RI1102D-F server with 6 onboard NICs.
The IPS does not report any alerts. If switched to IDS mode, the "interference" stops immediately and everything is running full speed.
Load average is at approximately 1.5 with a 4 core / 8 threads processor.
I have absolutely no idea, what is happening here. I don't see any reason, the IPS should interfere with traffic not addressed to the outside / OPNsense. Could suricata be flooding the LAN with packets?
Currently, I am forced to leave IPS disabled.
Any ideas are greatly appreciated!
Thank you,
Walter
As soon as IPS mode is enabled and traffic within the LAN increases, I'm faced with strange delays in transmission between different PCs within the LAN. Simple requests to our servers, that are usually answered within milliseconds, suddenly can take up to several seconds or even time out.
Please note that I am talking about problems with communication WITHIN the LAN subnet, not connections that are routed through OPNsense!
It is very hard to tell, but I think this mostly affects communication with virtualized servers (running in ProxmoxVE KVM environments), where several server VMs share a single NIC for communication. I am running 2 physical Proxmox VE machines with several VMs each. The problem is observed with both machines. But at times, even access to the OPNsense Web interface is slowed down.
All PCs, servers and devices in the LAN subnet are configured with static IPs. The whole setup can work without any router attached.
I am using a 24 port unmanaged switch with most devices and OPNsense attached directly, but there are also some devices connected to cascaded switches (all unmanaged). OPNsense runs on a supermicro RI1102D-F server with 6 onboard NICs.
The IPS does not report any alerts. If switched to IDS mode, the "interference" stops immediately and everything is running full speed.
Load average is at approximately 1.5 with a 4 core / 8 threads processor.
I have absolutely no idea, what is happening here. I don't see any reason, the IPS should interfere with traffic not addressed to the outside / OPNsense. Could suricata be flooding the LAN with packets?
Currently, I am forced to leave IPS disabled.
Any ideas are greatly appreciated!
Thank you,
Walter
Pages: [1]