Suricata IPS always overloads CPU then freezes OPNsense

Started by opnsenseless123, February 22, 2024, 04:44:13 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 22, 2024, 04:44:13 PM
Hi everyone, kind of a noob. Have a pretty simple setup, but running into issues when I turn on IPS. Really just using for firewall, VPN, NAT, IDS, and DNS server. Have wireguard running with multiple interfaces using a gateway group for failover. Firewall with nothing too crazy except the rules needed for wireguard and NAT. Using Unbound DNS from opnsense.

Filtered the rules with IDS in suricata to know which ones are relevant. Every time I turn on IPS, one of the CPU core's maxes out then the opnsense box freezes. I have to restart it then turn off IPS shortly after bootup. Not really sure what to look for or do? All the hardware offloading is disabled. Not really sure what to look at. If someone could please provide some guidance? Using the most recent version of opnsense (realize there were some rollbacks with suricata, but I had this issue on the last major version as well).

Nothing fancy for CPU Intel(R) Celeron(R) N4000 CPU @ 1.10GHz (2 cores, 2 threads) and the internet speed is at 1.2 Gb/s. No cooling solution. Maybe need a more powerful box? One odd thing was looking at installing zenarmor, but it believes that hardware offloading is still on. Which is weird because on the interfaces -> settings have all four settings disabled. Maybe offloading is turned on somwhere else so suricata can't perform?
February 23, 2024, 01:13:14 PM #1
Loading suricata rules creates a python process that indeed maxes out CPU, but should only be slow, not freeze your OPNSense instance.

This loading process also consumes alot of RAM, you should check whether this is your culprit.

From my experience, running OPNSense from too lower end hardware isn't the best.

I've got a couple of J4125 (2Ghz 4 cores) boxes running OPNSense, and they needed an extra cooling fan just to not go through the roof, on top of slowing down throughput when scaling down CPU frequency.

last but not least, don't run OPNsense on cheap realtek NICs, which could explain why zenarmor isn't happy with the offloading.
The world has 6 strings, and I got a pick ;)
February 23, 2024, 05:46:12 PM #2
That all seems to check out with my situation...thank you!

Do you also know another place to check offloading settings? In interfaces -> settings I have all four disabled. But was tinkering with zenarmor and it seems to think hardware offloading is enabled somewhere. By looking at settings it's not though. Seems like a contributing factor as well.
February 27, 2024, 11:01:16 AM #3
You could check in the system tunables where you have `net.inet.tcp.tso` setting.

Have you selected Zenarmor native routed L3 native netmap driver ?
The world has 6 strings, and I got a pick ;)
Print
Go Up Pages1
User actions