Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
Suricata IPS always overloads CPU then freezes OPNsense
« previous
next »
Print
Pages: [
1
]
Author
Topic: Suricata IPS always overloads CPU then freezes OPNsense (Read 1155 times)
opnsenseless123
Newbie
Posts: 2
Karma: 0
Suricata IPS always overloads CPU then freezes OPNsense
«
on:
February 22, 2024, 04:44:13 pm »
Hi everyone, kind of a noob. Have a pretty simple setup, but running into issues when I turn on IPS. Really just using for firewall, VPN, NAT, IDS, and DNS server. Have wireguard running with multiple interfaces using a gateway group for failover. Firewall with nothing too crazy except the rules needed for wireguard and NAT. Using Unbound DNS from opnsense.
Filtered the rules with IDS in suricata to know which ones are relevant. Every time I turn on IPS, one of the CPU core's maxes out then the opnsense box freezes. I have to restart it then turn off IPS shortly after bootup. Not really sure what to look for or do? All the hardware offloading is disabled. Not really sure what to look at. If someone could please provide some guidance? Using the most recent version of opnsense (realize there were some rollbacks with suricata, but I had this issue on the last major version as well).
Nothing fancy for CPU Intel(R) Celeron(R) N4000 CPU @ 1.10GHz (2 cores, 2 threads) and the internet speed is at 1.2 Gb/s. No cooling solution. Maybe need a more powerful box? One odd thing was looking at installing zenarmor, but it believes that hardware offloading is still on. Which is weird because on the interfaces -> settings have all four settings disabled. Maybe offloading is turned on somwhere else so suricata can't perform?
Logged
deajan
Newbie
Posts: 36
Karma: 1
Re: Suricata IPS always overloads CPU then freezes OPNsense
«
Reply #1 on:
February 23, 2024, 01:13:14 pm »
Loading suricata rules creates a python process that indeed maxes out CPU, but should only be slow, not freeze your OPNSense instance.
This loading process also consumes alot of RAM, you should check whether this is your culprit.
From my experience, running OPNSense from too lower end hardware isn't the best.
I've got a couple of J4125 (2Ghz 4 cores) boxes running OPNSense, and they needed an extra cooling fan just to not go through the roof, on top of slowing down throughput when scaling down CPU frequency.
last but not least, don't run OPNsense on cheap realtek NICs, which could explain why zenarmor isn't happy with the offloading.
Logged
The world has 6 strings, and I got a pick
opnsenseless123
Newbie
Posts: 2
Karma: 0
Re: Suricata IPS always overloads CPU then freezes OPNsense
«
Reply #2 on:
February 23, 2024, 05:46:12 pm »
That all seems to check out with my situation...thank you!
Do you also know another place to check offloading settings? In interfaces -> settings I have all four disabled. But was tinkering with zenarmor and it seems to think hardware offloading is enabled somewhere. By looking at settings it's not though. Seems like a contributing factor as well.
Logged
deajan
Newbie
Posts: 36
Karma: 1
Re: Suricata IPS always overloads CPU then freezes OPNsense
«
Reply #3 on:
February 27, 2024, 11:01:16 am »
You could check in the system tunables where you have `net.inet.tcp.tso` setting.
Have you selected Zenarmor native routed L3 native netmap driver ?
Logged
The world has 6 strings, and I got a pick
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
Suricata IPS always overloads CPU then freezes OPNsense