link goes down on WAN using IDS/IPS

[franco]

Ok, just wanted to be sure. Could be what you said is true, at least some level of quality in equipment is required for flawless IPS, maybe we should assemble a list of requirements and put that in the docs as well.


Cheers,
Franco

[dcol]

Yes, I believe that achieving a stable IPS requires a certain level of hardware. We already know that only certain NIC's are capable of running netmap I will start testing other hardware and processors over the next few weeks. When I have some results, I will post a new thread in this category.

In the meantime for other users using OPNsense with IPS on the WAN interface, post your hardware and experience in this thread. ie. CPU, memory, chipset, NIC.

[dcol]

I stand corrected, sort of. I do suggest at least 4 cores and 2Ghz processing power as well as a minimum 8GB memory. The sticky in this topic has more to do with the issue.

[AvdS]

I saw this discussion and I have exactly the same problem:
IDS/IPS enabled on LAN working fine.
IDS/IPS enabled on WAN (without router for firewall) wan interface is going down and up (see log below)
IDS/IPS enabled on WAN (with apple airport expres before)wan interface everything is working fine.

I have a Jetway NF9HB with 4x NIC Intel i211AT Gigabit Ethernet
Processor Intel Celeron N2930 SoC, 1.83GHz – 2.16GHz Burst, Quad-Core

is there already a solution for running IDS/IPS on the WAN without a extra router?
what triggers the wan connection to go down? If I can test something on my firewall to solve the problem please let me know.

Problem Log:
 Jun 22 14:57:42   kernel: igb0: link state changed to UP
Jun 22 14:57:38   kernel: igb0: link state changed to DOWN
Jun 22 14:57:37   opnsense: /usr/local/etc/rc.linkup: HOTPLUG: Configuring interface wan
Jun 22 14:57:37   opnsense: /usr/local/etc/rc.linkup: DEVD Ethernet attached event for wan
Jun 22 14:57:37   opnsense: /usr/local/etc/rc.linkup: Clearing states to old gateway 84.28.94.1.
Jun 22 14:57:37   opnsense: /usr/local/etc/rc.linkup: DEVD Ethernet detached event for wan
Jun 22 14:57:33   opnsense: /usr/local/etc/rc.linkup: ROUTING: skipping IPv6 default route
Jun 22 14:57:33   opnsense: /usr/local/etc/rc.linkup: ROUTING: keeping current default gateway '84.28.94.1'
Jun 22 14:57:33   opnsense: /usr/local/etc/rc.linkup: ROUTING: setting IPv4 default route to 84.28.94.1
Jun 22 14:57:33   opnsense: /usr/local/etc/rc.linkup: ROUTING: no IPv6 default gateway set, assuming wan
Jun 22 14:57:33   opnsense: /usr/local/etc/rc.linkup: ROUTING: IPv4 default gateway set to wan
Jun 22 14:57:33   opnsense: /usr/local/etc/rc.linkup: ROUTING: entering configure using 'wan'
Jun 22 14:57:32   opnsense: /usr/local/etc/rc.newwanip: ROUTING: skipping IPv6 default route
Jun 22 14:57:32   opnsense: /usr/local/etc/rc.newwanip: ROUTING: keeping current default gateway '84.28.94.1'
Jun 22 14:57:32   opnsense: /usr/local/etc/rc.newwanip: ROUTING: setting IPv4 default route to 84.28.94.1
Jun 22 14:57:32   opnsense: /usr/local/etc/rc.newwanip: ROUTING: no IPv6 default gateway set, assuming wan
Jun 22 14:57:32   opnsense: /usr/local/etc/rc.newwanip: ROUTING: IPv4 default gateway set to wan
Jun 22 14:57:32   opnsense: /usr/local/etc/rc.newwanip: ROUTING: entering configure using 'wan'
Jun 22 14:57:32   opnsense: /usr/local/etc/rc.newwanip: On (IP address: 84.28.94.25) (interface: WANzigo[wan]) (real interface: igb0).
Jun 22 14:57:32   opnsense: /usr/local/etc/rc.newwanip: IP renewal is starting on 'igb0'
Jun 22 14:57:31   kernel: igb0: link state changed to UP
Jun 22 14:57:27   kernel: igb0: link state changed to DOWN

[marjohn56]

I stand corrected, sort of. I do suggest at least 4 cores and 2Ghz processing power as well as a minimum 8GB memory. The sticky in this topic has more to do with the issue.

Wonder if it's anything to do with the Meltdown and Spectre mitigation fixes?


To opt out of one or both features, the following values can now be persistently set under System: Settings: Tunables:

Disable PTI via "vm.pmap.pti" to "0" and a reboot, and
Disable IBRS via "hw.ibrs_disable" to "1" with a simple "Apply".
Here are the full patch notes:

Edit: Thinking again, I don't see how it could be though... just a  thought.

[franco]

> Intel i211AT Gigabit Ethernet

Should wait and see if the newer drivers from 11.2 are working better. We will have a call for testing for 18.7 out soon. (We will use FreeBSD 11.1 with several driver updates.)


Cheers,
Franco

[dcol]

The tunables fixed it for me long ago. Interested to test the new Intel drivers.