opnsense IPS blocking Unbound?

Started by furfix, August 24, 2023, 11:32:35 PM

Previous topic - Next topic
Hi all! Wondering if somebody can help me here :)

I have configured Suricata on WAN following this blog: https://homenetworkguy.com/how-to/configure-intrusion-detection-opnsense/ long time ago...

but something weird is happening since yesterday, and I just don't now what.

I have in a proxmox debian VM running Adguard Home + unbound as DNS upstream on the same machine, and for some reason, Suricata is blocking the resolution of the domain www.cloudflare.com

This is only happening with cloudflare.com (or at least the one I noticed yet)



The source is my WAN IP and the destination is a cloudflare subnet on port 53.

If I restart IPS service, it looks like it works fine for 30 min / 1 hs, but then Suricata starts again to block it.

Any idea? Is this VM compromised somehow? No ports exposed to internet, or anything. All local.

OPNsense (23.7.2-amd64) is running baremetal in a different box than Proxmox.

Update 1: Suricata is blocking Unbound, it's not blocking Adguard Home.

Update 2: If I remove the WAN IP from the "home network" field in opnsense >> intrusion detection looks like it's working, but I'm not sure if Suricata will capture anything without the WAN IP

Update 3: these are the rules I"m using: