After update OPNsense 24.1.2 and Suricata 7 VoIP is dead

[itn3rd77]

Hi,

after the update to 24.1.2 and Suricata 7 on board back again my VoIP stopped working. My VoIP phone (a Grandstream) sometimes gets a connection to my provider but no outgoing or incoming calls are posible.

Disabling Suricata brings everything back to life instantly. Enabling Suricata breaks the setup again. Nothing related is shown in the logs of Suricata or that anything is blocked. No other changes done on system just the update to update to 24.1.2.

Running without Suricata now. Any help is appreciated!

Thanks and best regards
Ingo

[misterk]

Hi,

same problem here with Snom Phones.
After disable IPS Mode it work fine.

Best regards
Florian

[HW]

Same problem here with Yealink Dect. Rolled back to 24.1.1

[franco]

Disable IPS?

Diagnosing these issues will cost a lot of time and we're not going to roll back Suricata 7 anymore.


Cheers,
Franco

[amw-tue]

Is it possible that there is a connection between this thread and the topic "Suricata - NUMA nodes" in suricata 7.0.3?
I had the same issues as desribed above as well as the errors in the log regarding the numa nodes mentioned by fadern.

[itn3rd77]

After install of patch OPNsense 24.1.2_1 today my VoIP phone is working again with Suricata 7 and IPS enabled. I don't get the point but will not complain.

Can anybody confirm this?

Best regards
Ingo

[vik]

same issue here ... 24.1.2 and Suricata 7 breaks VOIP for me

[ChrisChros]

After install of patch OPNsense 24.1.2_1 today my VoIP phone is working again with Suricata 7 and IPS enabled. I don't get the point but will not complain.

Can anybody confirm this?

I cannot confirm the behavior. I have also installed 24.1.2_1 and my VoIP was not able to connect to the service provider. After disabling IPS Mode in Suricata the phone is able to establish a connection again to the provider.

[guenti_r]

Same issue here with 24.1.2.
Updated to 21.1.2_1, restarted OPNSense does not bring VoIP back.
Then i disabled & enabled Suricata and now it is working again!

[amw-tue]

I can confirm that 24.1.2_1 makes no difference, VOIP is not working as long IPS is active.

[mimugmail]

Can you try this?
https://forum.opnsense.org/index.php?topic=38989.0

[itn3rd77]

Hi,

sorry for my false positive. It does not work for me either after 21.1.2_1  :-[

I got my hands on mimugmail post and searched eve.json for my drops:

Code Select Expand

{"timestamp":"2024-02-22T07:52:13.119012+0100","flow_id":1076748976560117,"in_iface":"igb1","event_type":"drop","vlan":[42],"src_ip":"192.168.42.100","src_port":20538,"dest_ip":"185.22.44.186","dest_port":5060,"proto":"UDP","pkt_src":"wire/pcap","direction":"to_server","drop":{"len":48,"tos":104,"ttl":64,"ipid":8685,"udplen":28,"reason":"applayer error"}}


As described I added the following to /usr/local/etc/suricata/custom.yaml and restarted Suricata:

Code Select Expand


app-layer:
  error-policy: ignore


No more drops in eve.json for 30 minutes and phone still connected.

I can't judge if this is harmless and the way to go. Besides that if you click "Apply" button in the UI the /usr/local/etc/suricata/custom.yaml get's overwriten with the template /usr/local/opnsense/service/templates/OPNsense/IDS/custom.yaml.sample.

What's the right way to do customizations?

Best regards and sorry again for my false positve
Ingo

[mimugmail]

Better to add a checkbox in UI

[ChrisChros]

Can you try this?
https://forum.opnsense.org/index.php?topic=38989.0

I implemented the suggestion but my phones have still a problem to connect to the provider. Not directly after the modification but after some time.
After disabling the IPS mode within seconds the phones are connected.

[misterk]

24.1.2_1 make no difference. IPS Mode off and all the phone work.