Messages

That is the procedure.

I'm running fine on .10 with Suricata locked at .8, but I would hold at the version you're on now.  There's no need to rush the upgrade.  I suspect there are other underlying gremlins complicating various configs, judging from forum posts here and elsewhere.

In tech, "upgrading" a perfectly stable setup, usually turns into, "ruining your entire weekend".  We're all masochists.

And restore your last good config on .9.

Noticed internet access was very slow since doing the upgrade couple days ago.

Thankfully came across this thread. Not an opnsense expert. Running opnsense on a dedicated physical machine.

Rolled back to 22.7.9 and things seem to back to 'normal'.

opnsense-revert -r 22.7.9 opnsense
opnsense-update -kr 22.7.9
# then reboot

Cheers,

Do the commands exactly as shown above.  Revert, update, then reboot.  First command reverts the package, second command updates the kernel to the specific package.

And, yes, .10, broke somethings for sure, but OPNsense has been a rock solid platform for me for several years up until this last change.


Sent from my iPhone using Tapatalk

And to answer a previous poster, no, it's not fixed.  Lock Suricata at 6.0.8.  Everything else should work fine.

You can follow the Suricata bug report Franco linked to earlier.


Sent from my iPhone using Tapatalk

You have to use revert.

Make sure to lock Suricata at 6.0.8_1


Sent from my iPhone using Tapatalk

You can download it directly from here:

https://pkg.opnsense.org/FreeBSD:13:amd64/22.7/MINT/22.7.8/OpenSSL/All/

Scroll down and find:

   suricata-6.0.8_1.pkg   2022-11-16 21:31   1.9M   

https://pkg.opnsense.org/FreeBSD:13:amd64/22.7/MINT/22.7.8/OpenSSL/All/suricata-6.0.8_1.pkg

I'm assuming you're on OpenSSL.  Easy enough to figure out, if you're on LibreSSL.

https://pkg.opnsense.org/FreeBSD:13:amd64/22.7/MINT/22.7.8/LibreSSL/All/suricata-6.0.8_1.pkg

Yes.

# opnsense-revert -r 22.7.8 suricata

No output on dmesg.

This is very much what's going on:

https://redmine.openinfosecfoundation.org/issues/5744#note-16

I came across this previous problem, as well, during my research, and it describes exactly what is happening with my system.  There are no errors logged.  Interface just drops.  "Ethernet detached event".  And, with the first version of 6.0.9, completely bricked my box and could not be accessed through ssh or web GUI.  Full reboot with hardware power button was only option.

Code Select Expand

  - interface: eth0
    #copy-iface: eth1
  - interface: default
  - interface: default
netmap:
  - interface: default
    # (e.g. "copy-iface: eth0+"). Don't forget to set up a symmetrical eth0+ -> eth0
    #copy-iface: eth3
  - interface: em1
    copy-iface: em1^
  - interface: em1^
    copy-iface: em1

Baremetal i5, 16GB dual channel RAM, Intel 82583V NIC, Protectli box.  Suricata IPS, Promiscuous, on LAN.

I believe the issue manifests itself the easiest with multiple TLS connections.  As mentioned previously, can reproduce problem instantly with nzbget (docker instance on NAS) (setup 6 news-servers with 63 TLS connections on a 1Gbps connection and watch your interface get obliterated; this setup can completely saturate the line with TLS connections/SSL traffic).  My network performs flawlessly with 6.0.9 otherwise, and same setup works 100% flawlessly on 6.0.8.  Can switch the versions (6.0.9 patched without new API; previous version bricked the box) mid-download and watch the download speeds die and comeback (with restarting the Suricata service in between).

Much thanks Franco for the followup.

Doesn't kill the entire network anymore (or crash the Opnsense router), but still kills the SSL connections after 30 seconds or so.  Throwing the ethernet detached event on LAN (em1) now, but interface recovers.

Can confirm it's Suricata 6.0.9.  Have spent many hours the last two days testing numerous settings and scenarios.

Reverted to Suricata 6.0.8 on Opnsense 22.7.9 and the problem stopped.  The logs did not show anything other than this: "/usr/local/etc/rc.linkup: DEVD: Ethernet detached event for dynamic wan(em0)" Each time it happened.  Problem was easily reproduced with nzbget (will saturate download pipeline; seems to be related to multiple, parallel high bandwidth connections occurring simultaneously; saw no unusual problems during normal daily network activity, so I'm sure most users will not notice anything amiss).  Dropped the entire network within seconds.

Protectli box, intel NIC, i5, 16GB dual channel.  Suricata running IPS, Promiscuous, on LAN.  Platform and config have been rock solid until this upgrade.

And, there are no hardware problems with the NIC, cable, ISP modem or switch.