24.1 IDS breaks internet

[Frickey]

I just upgraded to 24.1 without changing any settings.
After the update when suricata service is running all the internet freezes. Hardware offloading is disabled, even re-enabling and disabling it doesnt work.

Any ideas where the problem might be?

Thanks.

[danderson]

maybe the same as it was ~6 months back when i was testing Suricata7.

https://forum.opnsense.org/index.php?topic=34997.msg
https://forum.opnsense.org/index.php?topic=35130.msg

[franco]

IPS mode I guess? Same same, but different every time. These things are hard to trace up front.


Cheers,
Franco

[Frickey]

it even happens when only ids is enabled and no ips. I'll try the configs from danderson

[db9]

I have the same issue after upgrading to 24.1.

The Egress connection to Internet work for a couple of minutes when starting the firewall. After this period the traffic to outside stops. After disabling IPS (suricata) the connections are restored. In my case IPS is enabled on the WAN interface.

I have changed my custom file with the help with this post. Now it looks stable for a couple of minutes.

https://forum.opnsense.org/index.php?topic=35130.msg

[seed]

I must report the same issues.
Having suricata running breaks the connection.

When connected to the opnsense console i can ping 1.1 through the igb interface. But not to lan (lacp lagg with ixl interfaces)

[seed]

I must report the same issues.
Having suricata running breaks the connection.

When connected to the opnsense console i can ping 1.1 through the igb interface. But not to lan (lacp lagg with ixl interfaces)

Adding:

Code Select Expand

stream.midstream-policy: ignore
http2:
  enabled: yes
quic:
  enabled: yes

to /usr/local/opnsense/service/templates/OPNsense/IDS/custom.yaml fixed the issue as described in the upper post.
Looks like a little hotfix must be released.

[fadern]

Same issue here.
Running IPS on the LAN side.
Web-gui get unresponsive after a few minutes and the network works as crap.
Igb interfaces.

[seed]

I must report the same issues.
Having suricata running breaks the connection.

When connected to the opnsense console i can ping 1.1 through the igb interface. But not to lan (lacp lagg with ixl interfaces)

Adding:

Code Select Expand

stream.midstream-policy: ignore
http2:
  enabled: yes
quic:
  enabled: yes

to /usr/local/opnsense/service/templates/OPNsense/IDS/custom.yaml fixed the issue as described in the upper post.
Looks like a little hotfix must be released.

Even with the fix applied i have problems reaching my servers by http/https.
I disabled suricata for now.

[vabello]

Same issue. I have a very new installation from a few days ago. Suricata was enabled in IPS mode. I had only one rule set downloading for testing. After the upgrade, it seemed like most TCP traffic wasn't working through the firewall. DNS resolution with unbound was working fine. Echo requests/replies were working fine. I could load some things, but definitely not most. On a hunch, I eventually stopped Suricata and everything started working. I've just disabled it for now until I know what's going on.

[saintjimmy]

Same issue here, disabling Suricata works. It was on IPS on WAN interface.
What is weird is that the same issue occurs with Crowdsec.

[peter.vynck]

Same issue here but strangely enough only on 1 of the 2 WAN connections?!

The 'standard' WAN interface (igb0) stopped working but the other fiber interface (pppoe0) continued working. Both interfaces are in my Suricata interfaces list...

[nomad49]

Hello,
same issue here.

after disabling suricata everything is stable again.

as soon as suricata is enabled the web interface freezes about 4 - 5 minutes later, no traffic goes through.

Versions    OPNsense 24.1-amd64
Protectli FW4C

[Cerberus]

For me, disabling Surricata is not enough. IPv4 WAN is complety dead, IPv6 still works. Unbound cant resolve anything but has IPv4 and IPv6 upstream servers.

Update: the system has no IPv4 default gateway anymore.

[danderson]

I have the same issue, even with the addition to the custom.yaml. Disabled suricata for now and all working.

I must report the same issues.
Having suricata running breaks the connection.

When connected to the opnsense console i can ping 1.1 through the igb interface. But not to lan (lacp lagg with ixl interfaces)

Adding:

Code Select Expand

stream.midstream-policy: ignore
http2:
  enabled: yes
quic:
  enabled: yes

to /usr/local/opnsense/service/templates/OPNsense/IDS/custom.yaml fixed the issue as described in the upper post.
Looks like a little hotfix must be released.

Even with the fix applied i have problems reaching my servers by http/https.
I disabled suricata for now.