Messages

i was on 22.1.6 and had installed Crowdsec manually and it seemed to work fine.  Today i installed the new 22.1.7 and Crowdsec quit working. OS-crowdsec shows it has been orphaned in the plugins section.  I deleted the orphan and tried to reinstall the new Crowdsec packages, there are two and I get this error:
***GOT REQUEST TO REINSTALL***
Currently running OPNsense 22.1.7 (amd64/OpenSSL) at Tue May 10 21:31:04 EDT 2022
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
Updating SunnyValley repository catalogue...
pkg-static: https://updates.sunnyvalley.io/opnsense/FreeBSD:13:amd64/22.1/OpenSSL/latest/packagesite.pkg: Not Found
SunnyValley repository is up to date.
All repositories are up to date.

No packages are required to be fetched.
Integrity check was successful.
crowdsec-1.3.3: already unlocked
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
Updating SunnyValley repository catalogue...
pkg-static: https://updates.sunnyvalley.io/opnsense/FreeBSD:13:amd64/22.1/OpenSSL/latest/packagesite.pkg: Not Found
SunnyValley repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The following 1 package(s) will be affected (of 0 checked):

Installed packages to be REINSTALLED:
   crowdsec-1.3.3 [OPNsense]

Number of packages to be reinstalled: 1
[1/1] Reinstalling crowdsec-1.3.3...
[1/1] Extracting crowdsec-1.3.3: .......... done
Cannot 'status' crowdsec. Set crowdsec_enable to YES in /etc/rc.conf or use 'onestatus' instead of 'status'.
Cannot 'stop' crowdsec. Set crowdsec_enable to YES in /etc/rc.conf or use 'onestop' instead of 'stop'.
Cannot 'start' crowdsec. Set crowdsec_enable to YES in /etc/rc.conf or use 'onestart' instead of 'start'.
You may need to manually remove /usr/local/etc/crowdsec/local_api_credentials.yaml if it is no longer needed.
You may need to manually remove /usr/local/etc/crowdsec/online_api_credentials.yaml if it is no longer needed.
You may need to manually remove /usr/local/etc/crowdsec/config.yaml if it is no longer needed.
Checking integrity... done (0 conflicting)
Nothing to do.
***DONE***

I found the /etc/rc.conf file empty when I went to edit.  I was able to manually remove the recommended files, but that did not change anything.  How do I get Crowdsec back up and running?

So I finally figured it out!  In the recent OPNSense update 22.1.1_3, it dumped the Protected Interface under Zen Armor.  Once I reset the interface to LAN, the Suricata IPS setting now sticks to On!!  Now I wonder what else has not carried over from before the update....

Posted in a different thread earlier today of strange issues with Suricata shutting off in IPS mode shortly after it starts up. Tried changing from Hybrid mode and that did not change anything either.  Rebooted many times in between as well.  Verified WAN IP was properly entered as well  This is the log entry I am seeing:

Error   suricata   [116410] <Error> -- [ERRCODE: SC_ERR_NETMAP_CREATE(263)] - opening devname netmap:ix0/R failed: Device busy

I can reduce Suricata service to IDS only mode and I don't see this error in the log.

Running UNBOUND with DLS/TLS without issue.  Also running ZENARMOR without issue.

No VLANS so no Promiscuous Mode.

I get this error: SC_ERR_NETMAP_CREATE(263)] - opening devname netmap:ix0/R failed: Device busy
Line Number: 103419
I have also checked to see if the WAN IP has not changed.

Well dummy me. Finally solved the problem by fixing the "Home networks" setting.  To see this setting, you must check advanced mode under the administration menu and you will see it under the setting tab as a small toggle.  If you are only using Suricata on the WAN interface, you need to delete those default LAN interfaces from the Home networks setting. You then need to add your WAN IP address in the Home network setting.

Also note to keep in mind that if your ISP uses DHCP to provide your WAN IP address, then your WAN IP address could change from time-to-time so you will need to adjust the Home network setting accordingly.

Consider this post solved!

Perhaps. I don't see it as a tunable like it was under the old OS.

22.1 RC2 is a little better in the sense the system does not crash now when doing a speedtest and IPS is enabled.  However, on the upload part of the test with IPS enabled, the test hangs in the 300-400MB range, and then the system recovers.  The NIC for the WAN is an Intel i219v if that helps.  CPU and RAM are at most taxed at 25% when running the test on a symmetrical 1GB FIOS line.  As mentioned earlier, there were no issues in this setup using the 21.7 software. 

Is there RSS support built in or coming later? Thank you.

To be certain and not let this digress to an Unbound discussion, my Unbound with DNS over TLS works without issue.  I can select Intrusion Detection to Enabled and things are also fine, but when I select IPS mode to On, this is when Speedtest will then crash the WAN and I have to reboot. I also get the WAN IP zeroed as in 0.0.0.0 as some of the earlier post mentioned.

--See last Phantomsfbw post in this thread to see solution-- Just moved over from the last stable version of OPNsense to this RC.  The RC crashes the network when running a SpeedTest during the Upload test.  I can still access the wired LAN, but Internet access blown away.  Must reboot OPNsense to get WAN service back.  I have narrowed it to the IPS if it is tured on.  I was able to narrow it by doing a complete reinstall and turning on one capability after another.  Running Unbound with TLS-DNS.  WAN IP is DHCP.  Using Cloudflare DNS 1.1.1.2 and 1.0.0.2. 

1G symetrical service provider through Verizon FIOS.  The WAN NIC is an Intel 1G on board motherboard. No issues in the past or under last stable OPNsense version.

Intel(R) Core(TM) i5-10400 CPU @ 2.90GHz (12 cores) and 16G Ram