Interface lost with 18.7.10

[chemlud]

No VIP, IPS on this interface: Yes.

The whole interface is only populated by a single client, which basically does web browsing, which is accessed via VNC from a client on a different interface of the same sense install. So not THAT much to do.

Was running stable for weeks, before going down twice today after update. Should I reverse to 18.7.9 and see how that works?

[franco]

18.7.10 added Suricata 4.1... if it runs in IPS mode it could do things to the link...

# opnsense-revert -r 18.7.9 suricata

(restart suricata)


Cheers,
Franco

[chemlud]

In the suricata log there is nothing. and also no alerts for this interface at that time...

will revert and see....

[chemlud]

All stable here now :-)

[franco]

Hmmm, I'll push this to the Suricata guys for help... I assume that without IPS mode it's ok on 4.1.

Makes more sense than Unbound having to do with it.


Thanks,
Franco

[chemlud]

Unbound is simply killed off if I try something after 18.7.7 (but never had a a look at 18.7.8 though...) with DNS over TLS and LibreSSL (was stable with OpenSSL, iirc). This naturally "kills the internet" (as my users complain) completely and on all interfaces.

This one dying interface yesterday started with 18.7.10 (installed yesterday in the morning), however, suricata IPS is running on 3 interfaces on this box, with another interface under much heavier load, but never going down. Can it be something with the VNC traffic to/from the interface which has problems? No idea...   

[franco]

Too hard to tell at this point. But Suricata is the only service that can stop packet flow or somehow bring an interface down/up due to the IPS mode which hooks into the network stack (and this already causes a down/up).

I just don't know whether Unbound DoH and TLS is ready for prime yet seeing all these reports of crashes.


Cheers,
Franco

[chemlud]

Unbound >1.8.1 using DNS over TLS  PLUS LibreSSL is the combination that lets unbound crash every 10-20 min.

I have two installs with OpenSSL und the latest Unbound doing just fine with DNS over TLS (same config as on unbound crashing with LibreSSL).

But two installs with LibreSSL don't like Unbound >1.8.1 with DNS over TLS.

DNS over TLS or DNS over HTTPS should be standard imho ;-)

[bruch05]

Hello,

I'm Christophe from Paris. For your information, i've the same behavior on a WAN IF.

Every 9 mn the WAN GW is unavailable. Just a SAVE and an APPLY on WAN interface parameter panel (or physical disconnect/reconnect) restores the data flow.

(To confirm that issue is under OpnSense, I've tested directly with a laptop connected to the FO PON and i haven't issue.)

All the parameters like LRO, TSO, EEE are correctly set. I've perform a test with a different NIC, and same issue.

I've perform this command 'opnsense-revert -r 18.7.9 suricata' and reboot. Despite this, the bad behavior still remains. The Service Intrusion Detection is not enabled.

Add-on : opnsense-revert -r 18.7.7 unbound. The issue is always present.

I feel, we have the same issue. If you prefer, i can open a specific topic. Please let me know.

I've this contrab task to workaround the issue.



Best regards and thank you by advance for your advises.
Christophe

[chemlud]

I removed the GeoIP blocking rule (see here: https://forum.opnsense.org/index.php?topic=11020.0)

and updated suricata. Reboot.Wait'n see.

(@Christophe: As your problems persist even after downgrading suricata I would assume you have a different problem)

[chemlud]

Interface went down again. No log entries. Pulled Rj45, waited 10 sec. plugged in again, interface is online again.... :-(

Downgrading again.