IPS Problems after upgrade

[fesarlis]

Hello,
I maintain a fairly simple installation of OPNsense for many years now (2 WANs, IDS/IPS enabled on WAN1,WAN2) Today I upgraded to latest version (22) and started having issues with intrusion detection. In particular all of a sudden I totally lose connectivity to WAN interface after a couple of minutes. For the first two minutes after Suricata restart, everything works fine. I examined the logs but cannot find anything relevant. I disabled all rulesets (haven't started with policies yet) yet issue remains (btw, I don't know why but rules remain active even I disable all rulesets).

Only workaround is to disable IPS.

I would appreciate some help as I have not dealt with IDS in detail over the years mainly due to lack of time but also because it used to work fine with all the defaults.

Some details:

wan1 IP: 192.168.1.244 (wan1 gateway IP 192.168.1.254)
wan2 IP: 192.168.2.244 (wan2 gateway IP 192.168.2.254)
lan: 10.1.1.0/24

UPDATE1: I have tried the following: 1) removed all rules via CLI. Everything empty 2) Problem still remains.
UPDATE2: I forgot to mention that of course all interface offloading settings are applied as suggested by documentation.

Thank you

[Fright]

Hi!
i would start with the config backup  ;)
then you may be can try to get rid of per-rule settings in Services: Intrusion Detection: Policy#Rules Adjustments
(i would select id by 100 items and press on bottom Delete selected button. Be patient. It may take a time - wait for screen update with new rules to delete).
at least this will make config much smaller.

then you can start to add policies (starting from Alert in New action). and observing the results and logs )

[fesarlis]

Thank you for such fast reply.
I updated my initial post (perhaps you did not see it in time) that I have removed all rules from the system manually. Issue remains.

I feel I have to repeat, though, all this started when i updated to VERSION 22.

Here is everything that is logged since starting IDS/IPS until it just starts dropping everything:

Code Select Expand


2022-01-30T19:50:44 Notice suricata [100183] <Notice> -- all 4 packet processing threads, 4 management threads initialized, engine started.
2022-01-30T19:50:44 Notice suricata [101761] <Notice> -- opened netmap:ue0/T from ue0: 0x886493300
2022-01-30T19:50:44 Notice suricata [101761] <Notice> -- opened netmap:ue0^ from ue0^: 0x886493000
2022-01-30T19:50:44 Notice suricata [101754] <Notice> -- opened netmap:ue0^ from ue0^: 0x85bc93300
2022-01-30T19:50:44 Notice suricata [101754] <Notice> -- opened netmap:ue0/R from ue0: 0x85bc93000
2022-01-30T19:50:44 Notice suricata [101753] <Notice> -- opened netmap:bge1/T from bge1: 0x830e93300
2022-01-30T19:50:44 Notice suricata [101753] <Notice> -- opened netmap:bge1^ from bge1^: 0x830e93000
2022-01-30T19:50:44 Notice suricata [101746] <Notice> -- opened netmap:bge1^ from bge1^: 0x806693300
2022-01-30T19:50:44 Notice suricata [101746] <Notice> -- opened netmap:bge1/R from bge1: 0x806693000
2022-01-30T19:50:44 Warning suricata [100183] <Warning> -- [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rules were loaded!
2022-01-30T19:50:43 Notice suricata [100213] <Notice> -- This is Suricata version 6.0.4 RELEASE running in SYSTEM mode
2022-01-30T19:50:43 Notice suricata [100293] <Notice> -- Stats for 'ue0': pkts: 10153, drop: 0 (0.00%), invalid chksum: 0
2022-01-30T19:50:43 Notice suricata [100293] <Notice> -- Stats for 'bge1': pkts: 0, drop: 0 (nan%), invalid chksum: 0
2022-01-30T19:50:43 Notice suricata [100293] <Notice> -- Signal Received. Stopping engine.


[Fright]

Hi! sorry for the delay (I missed it somehow). but not much ideas. I would probably try to remove ue0 from idps interfaces

[franco]

Hi! sorry for the delay (I missed it somehow). but not much ideas. I would probably try to remove ue0 from idps interfaces

Yep, saw this today as well trashing on a WAN link with DHCPv6 tracking enabled. ue0 isn't good choice for IPS. Seems to have gotten worse with 22.1 or it wasn't working on 21.7 and below at all which is more likely as that wouldn't cause issues but also not cause alerts at all. ;)


Cheers,
Franco

[theelectic]

same issue here - after upgrading from 21.7.8 to 22.1, with IPS enabled, major issues.  WAN is OK - I can remotely connect to the firewall via OpenVPN, but LAN clients cannot connect.  Super simple setup, single WAN connection, flat network, no VLANs.  For now, I disabled IPS, waiting for 22.1.1 update.

[Rober]

Whoops I meant to post over here https://forum.opnsense.org/index.php?topic=26583.0

[fesarlis]

This issue still remains after all recent updates. Anyone still facing the same problem?

It is my understanding that replacing the USB interface cannot be considered a solution.

[splendidpickle]

After upgrade to 22.1.4_1 my fw would just stop no traffic out cant log in to gui. From console did opt 11 to restart everything and can get in to gui. Disabled IPS and seems to be okay.

[fesarlis]

So is this issue still unresolved or it just won't be resolved. In that case, can someone from the dev team provide an answer and recommendation? At least if removing USB adapters is necessary we have to know.

It is my understanding that the MOST important reason to have a firewall is the IDS system nowadays. So if something so trivial as not being able to work with USB adapters is confirmed, it should at least be put to the documentation.

Thanks

[franco]

We are trying to find the root cause, which could be a FreeBSD 13 change, but we are looking for needle in a haystack which can only progress with enough time and input. In lab tests, the issue could not be confirmed as of yet, which can indicate external factors are at play as well making it more difficult.


Cheers,
Franco

[fesarlis]

Issue remains with latest version