Messages

1

Intrusion Detection and Prevention / Re: Memory usage grow during a constant traffic flow

« on: November 29, 2020, 02:55:44 pm »

Thank you for the How-To.

All values were already configured in the standard files as mentioned in your How-To.
I have only added the IP addresses of my hosts to the host-os-policy section, but that didn't helped. 

2

Intrusion Detection and Prevention / Re: Memory usage grow during a constant traffic flow

« on: November 28, 2020, 02:48:37 pm »

I've about 58.000 rules enabled. That's a lot, I know. But it seems that they're not harming any other services like Netflix, Deezer or other connections which are using a constant bandwidth over a longer time.

I've enabled IDS/IPS on the LAN interface because I'm having several VLANs and interfaces. Therefore I want to scan the the traffic between them too.

My iPerf test run about two hours and there was no rising memory usage. So I guess it's a single rule which causes the issue during the SMB stream.

3

Intrusion Detection and Prevention / Memory usage grow during a constant traffic flow

« on: November 22, 2020, 01:52:02 pm »

Hey,

I'm often watching TV shows that I've recorded in the past, and saved on my NAS as MPG-2 file.
The playing device is a Dreambox (Linux based) in a different VLAN. The Dreambox uses SMB2 to play the file. The connection uses about 5 Mbit/s.

After approxm. 30 minutes watching I get an warning from my OPNsense, that the memory usage has reached 80% of 8 GB. The activity page shows that Suricata uses the most of it. The memory usage continues to grow up to 97% as long as the episode plays. Then the SWAP usage starts to grow.
My OPNsense uses about 20% of the memory during normal operation.

I do not see any drops or alerts in the IDS/IPS logs regarding this connection. I can try to define an IP-to-IP exception in the user rules section to prevent it. But if it's a single rule which causes this behaviour, I would prefer to identify and disable this rule.
Is this a normal behaviour? If not, how should I go through to prevent this?

Current Suricata settings: Promiscus & IPS modes are active. The pattern matcher is Hyperscan, and Suricata is only listening on the physical LAN interface. The home network subnets are entered.

Jas

EDIT: I'm not able to reproduce this issue by using iPerf3 to create an TCP connection with an constant bandwidth usage.

4

20.7 Production Series / Re: Current list of bugs/issues I've encountered in 20.7

« on: August 17, 2020, 11:09:35 pm »

@FullyBorked: I'm having the issues #3 and #4 (both) too.

I've reported issue #3 some minutes ago (https://github.com/opnsense/core/issues/4272)
Regarding syslog-ng there are several reports of users which having the same or other issues (https://github.com/opnsense/core/issues/4263)

5

General Discussion / Re: Sonos across multiple subnets

« on: July 31, 2020, 10:41:31 pm »

I'm having the same network setup as you. You need to allow the UDP responses from the Sonos devices for ports 40000-60000.

This is my "UDP Broadcast Relay" configuration
udp_vars="--id 1 --port 1900 --dev [INTERFACE_LAN] --dev [INTERFACE_IOT] --multicast 239.255.255.250"

This is my firewall ruleset to allow the communication between the Sonos app and the devices

From Sonos app to Sonos devices
TCP/1400, 1443

From Sonos devices to Sonos app
TCP/3400, 3401, 3500
TCP/4444
UDP/40000-60000

6

Intrusion Detection and Prevention / Re: Samba (smb) with slow speeds because of Suricata

« on: June 07, 2020, 02:14:00 pm »

Hey,
Same issue here.

I've opened a new thread: https://forum.opnsense.org/index.php?topic=17572.0
Not exactly what you are searching for, but maybe it's helpful for you too.

Jas

7

Intrusion Detection and Prevention / Understanding of "user defined" rules

« on: June 07, 2020, 01:51:49 pm »

Hey,

I've different VLANs in my LAN and Suricata is enabled in IPS mode on the physical interface on which all VLANs mapped to.

When I copy some big files from a host in VLAN1 to a host in VLAN2 via SMB, Suricata reaches 100% of the CPU time because it inspects the traffic of course. Due to the high CPU utilization the bandwidth of the copy job is much lower than whitout IDS/IPS enabled.

So I added two user defined pass rules for the hosts (from host 1 to host 2 and vice versa). The rules are matching, but the Suricata process still uses 100% of the CPU time during the copy job.

My question is: should the traffic bypass IDS/IPS completly when there's a pass rule for it? Or is the traffic still inspected by IDS/IPS, and the pass rule overwrites only all alert/block rule that may match? The documentation of Suricata is not understandable for me in this point (https://suricata.readthedocs.io/en/suricata-4.1.2/performance/ignoring-traffic.html).
What would be the best way to perform my requirement?

Thanks.
Jas

8

Hardware and Performance / Re: Connection reset during iperf test

« on: March 13, 2020, 10:56:21 pm »

Hey tjanker,

Your OPNsense ends the connection to the client by sending the FIN flag in packet 18. The the RST flag in packet 19 is only to shutdown the connection immediatly without any timeouts.

Have you used any iPerf options? Is IPS enabled?

I guess you've captured the traffic on the client, because the frames from the clients are bigger than 1518 bytes (offloading is active).
Can you do another capture "on the wire" or on a mirror port on the switch?

Jas

9

19.7 Legacy Series / Re: How to handle Multicasts with TTL=1?

« on: January 06, 2020, 04:39:08 pm »

mangle is a Linux feature, not FreeBSD.

Ahh, good to know. I didn't know that.

See https://forum.opnsense.org/index.php?topic=15385.0

Yep, I already saw this thread but it doesn't work for the affected device. Because the TTL of the Multicast is 1, the packet is discarded before PIMD can handle it. The packets are not transmitted to the IoT VLAN. 

In my opinion I need to increase the TTL, or to tell OPNsense to ignore the TTL.

10

19.7 Legacy Series / How to handle Multicasts with TTL=1?

« on: January 06, 2020, 02:07:40 pm »

Hey,

I've seperated all my IoT devices into a single VLAN.
The associated Android management app of one of the IoT devices uses Multicasts to discover the device. Unfortunately the Multicast packets from the app have an TTL of 1. My mobile phone is in another VLAN and therefore the packets are discarted before PIMD can forward them to the IoT VLAN.

What would be the Best-Practise to handle this? Should I use iptable to mangle the TTL of the packets?

Jas

11

19.7 Legacy Series / Re: [Solved] Sonos on VLANS - PIMD

« on: December 31, 2019, 02:14:50 pm »

I've messed around with exactly the same things in the last days.
And I was so happy when I found this thread. :-)

I would be happy too when the PIMD would become an official plugin for OPNsense.

BTW: There's a typo. The file /etc/rc.conf.d/pimd must contain "enable" and not "enabled"

12

Intrusion Detection and Prevention / Re: IPS in VLAN only environment

« on: December 22, 2019, 05:34:58 pm »

@Oliver: Thank you for your post. I ran into the same issue

13

German - Deutsch / Re: Mehrere Subnetze über IPsec mit Fritz!Box erreichen

« on: October 24, 2019, 08:55:16 pm »

Ich bin der Meinung das mit dem manuellem SPD Eintrag auch probiert zu haben, jedoch ohne Erfolg. Kann sich natürlich zwischenzeitlich was geändert haben. Danke für den Hinweis.

Da die AVM Software aber momentan noch das Problem hat, dass man eine angepasste VPN Config nicht mehr eingespielt bekommt bzw. die Box diese nicht anzeigt, habe ich irgendwann das Testen aufgegeben.

Als Lösung habe ich meine lokalen Subnetze einfach so angepasst, dass ich diese mit einer größeren Subnetmask alle in eine Subnetzangabe der Phase 2 passen.

14

19.7 Legacy Series / Re: Firewall States Dump shows closed connections as established

« on: October 05, 2019, 12:11:53 pm »

@openfwb Thank you. Do you know why such a high timeout for established connections is preferred? For my understanding todays TCP connections are sending keep-alives at least every 120 minutes.

15

19.7 Legacy Series / Re: Firewall States Dump shows closed connections as established

« on: October 03, 2019, 11:18:04 pm »

I've found out that this is not an issue. The configured default timeout for established TCP connections is 24h (see Firewall: Diagnostics: pfInfo and tcp.established)

Is this best practise to have such a high timeout for those type of connections?
Can I change it within the GUI?