Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
Intrusion Detection plus IPS enabled plus vrtio = blocked network traffic
« previous
next »
Print
Pages: [
1
]
Author
Topic: Intrusion Detection plus IPS enabled plus vrtio = blocked network traffic (Read 10393 times)
hightechrdn
Newbie
Posts: 5
Karma: 0
Intrusion Detection plus IPS enabled plus vrtio = blocked network traffic
«
on:
December 30, 2017, 09:16:35 pm »
Note: I originally replied to this thread
https://forum.opnsense.org/index.php?topic=5173.0
as it describes the same symptoms as I am facing. However, I now see that the thread is in the 17.1 Legacy subforum and I am using the latest stable OPNsense release so this subforum seemed like a better location.
--------
Guest VM running OPNsense 17.7.11. The host is running Proxmox 5.1. Everything was installed in the last few days so a fairly clean, out of the box configuration.
OPNSense VM is configured as an Internet router (standard auto NAT setup), one interface on the LAN and the other interface on the WAN. Both are bridged to dedicated host interfaces. Network devices are set to vrtio in the VM configuration.
Network device HW offloading is disabled in OPNSense. I also have TX offload disabled at the host level using ethtool.
As soon as IPS is enabled, traffic through the router and from the VM itself to the WAN basically stops. tcpdump on the WAN interface shows a few packets but only a very small % of what should be there. Packets reported by tcpdump are truncated, each missing a different number of bytes.
Behavior is the same even with no IPS/IDS rules enabled. Disabling IPS restores full network functionality. If the network devices are switched to E1000, IPS works correctly and network traffic is forwarded/NAT'd but CPU utilization goes up dramatically.
I am upgrading my Internet connection from 50Mbps to 200Mbps next week so concerned OPNSense isn't going to get the job done, at least not without throwing a lot of HW/energy at the problem.
Has anyone found a solution to this problem which appears to be caused when using IPS with vrtio driver/devices?
«
Last Edit: December 30, 2017, 11:39:44 pm by hightechrdn
»
Logged
mimugmail
Hero Member
Posts: 6766
Karma: 494
Re: Intrusion Detection plus IPS enabled plus vrtio = blocked network traffic
«
Reply #1 on:
December 31, 2017, 06:42:32 am »
No, this is sadly still an open issue
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
hightechrdn
Newbie
Posts: 5
Karma: 0
Re: Intrusion Detection plus IPS enabled plus vrtio = blocked network traffic
«
Reply #2 on:
January 03, 2018, 12:32:13 am »
Is the cause of the problem known at this point in time? More specifically, is the issue specific to OPNsense or is it an upstream problem with one of the components used by OPNsense (ex: Suricatta, vrtio driver, Linux network stack, etc.)?
Logged
mimugmail
Hero Member
Posts: 6766
Karma: 494
Re: Intrusion Detection plus IPS enabled plus vrtio = blocked network traffic
«
Reply #3 on:
January 03, 2018, 06:36:50 am »
It's the FreeBSD VirtIO driver ..
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
franco
Administrator
Hero Member
Posts: 17661
Karma: 1611
Re: Intrusion Detection plus IPS enabled plus vrtio = blocked network traffic
«
Reply #4 on:
January 04, 2018, 09:19:47 pm »
Use the e1000 emulation.
Cheers,
Franco
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
Intrusion Detection plus IPS enabled plus vrtio = blocked network traffic
