OPNsense

498 readers

1 users here now

All discussions about the open source, FreeBSD-based firewall called OPNsense.

founded 1 year ago

MODERATORS

[email protected]

(Solved) IPS (Suricata) kills network (programming.dev)

submitted 9 months ago* (last edited 5 months ago) by [email protected] to c/[email protected]

4 comments fedilink hide all child comments

Hey all, I've been trying to figure out why enabling IPS kills my network. I have some services I host and would like to get some sort of IPS running. I used to have Snort running through pfSense and didn't experience issues like this.

Edit: as an update to this, I resolved it by installing the realtek plugin.

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 2 points 9 months ago* (last edited 9 months ago) (1 children)

What RAM does this "beelink" have (I've never heard of them)?

IPS can be very memory intensive if you add lots of rules, regardless of how their behaviour is set. (You can check the table size)

Also, what else do you have enabled? Do you have ZenArmour also installed and running? That is another memory hungry app (it does the same thing, so either use ZenArmour or IPS, not both).

Finally, do you have offloading disabled for the Interfaces? Interfaces ->Settings you need to disable Hardware CRC, TSO and LRO at the least for IPS to work. You might have to disable VLAN HW filtering as well.

These last settings are probably the most common reason for IPS failing. Drivers are almost always broken for these functions, particularly in HardenedBSD/FreeBSD. IIRC these are off by default in pf, but on in OPN.

[–] [email protected] 1 points 9 months ago

That's a good point on the memory. I actually installed with ZFS on root instead of UFS like I had on pfSense, which uses more RAM. All the hardware offloading is disabled so I think RAM is the culprit as I've only got 8gb in there.