IPS interferes with internal LAN traffic

[wkoch]

I'm using OPNsense 20.7 as router between a LAN and WAN and Suricata is activated in IPS mode on the LAN interface only.

As soon as IPS mode is enabled and traffic within the LAN increases, I'm faced with strange delays in transmission between different PCs within the LAN. Simple requests to our servers, that are usually answered within milliseconds, suddenly can take up to several seconds or even time out.

Please note that I am talking about problems with communication WITHIN the LAN subnet, not connections that are routed through OPNsense!

It is very hard to tell, but I think this mostly affects communication with virtualized servers (running in ProxmoxVE KVM environments), where several server VMs share a single NIC for communication. I am running 2 physical Proxmox VE machines with several VMs each. The problem is observed with both machines. But at times, even access to the OPNsense Web interface is slowed down.

All PCs, servers and devices in the LAN subnet are configured with static IPs. The whole setup can work without any router attached.

I am using a 24 port unmanaged switch with most devices and OPNsense attached directly, but there are also some devices connected to cascaded switches (all unmanaged). OPNsense runs on a supermicro RI1102D-F server with 6 onboard NICs.

The IPS does not report any alerts. If switched to IDS mode, the "interference" stops immediately and everything is running full speed.

Load average is at approximately 1.5 with a 4 core / 8 threads processor.

I have absolutely no idea, what is happening here. I don't see any reason, the IPS should interfere with traffic not addressed to the outside / OPNsense. Could suricata be flooding the LAN with packets?

Currently, I am forced to leave IPS disabled.

Any ideas are greatly appreciated!

Thank you,
  Walter

[chemlud]

Hi!

Anything in the system logs that interfaces are going down/up?

https://forum.opnsense.org/index.php?topic=19851.msg92594#msg92594

https://forum.opnsense.org/index.php?topic=19851.msg92642#msg92642

[wkoch]

Hi Chemlud.
I checked the log -> the interfaces were up all the time.

[djbmister]

IPS works best when set to the WAN interface - to capture inbound traffic coming to you clients on the lan side.

If you want to monitor LAN clients outbound usage for malware etc, then set a limited rule set to track what they are up to, then selectivly enable specific ruleset.

You probably find you have too many rules enabled and your poor router is getting overwhelmed, sucrita is very cpu and memory intensive if you have alot of rules enabled. Remember, even if the rules are not set to drop, it still tracks each rule - using up cpu and memory usage.

[petero]

This is absolutely a problem with suricata on 20.7. All traffic comes to a standstill in IPS mode, CPU utilization drops to 0% (occasionally enough packets get through to see the CPU graph). I know it's a problem because the exact same system ran 20.1 for a year with suricata in IPS mode with no issues at all. This isn't a performance issue, it's a thread-locking issue or something similar.