I've been working on implementing Suricata (package 2.1.9.1) on a CARP dual router setup, and Suricata is set to sync to router2 as well. I have several issues, the worst of which ends with me unable to connect to router2 via a browser (and of course sync fails).
1) Agonizingly slow page loads. I'm trying to enable only certain emerging-web_specific_apps.rules rules. I disabled all rules, and am going through and enabling certain ones that apply. There are several thousand rules in that category, so it is a big page*. If I enable a rule, sometimes the page reloads in a few seconds. Sometimes it takes several minutes. Sometimes I can enable 20 in a row, fast, and then it slows down again. I don't understand the discrepancy. It is so slow I can watch the table draw if I scroll to the bottom of what's loaded. While it's loading, other pages from the router load fine, e.g. the index.php page loads immediately and shows 0% CPU usage, 30% memory usage (it's a 4 CPU VM with 2 GB RAM, on a 100 Mbps connection). Other connections *through* this router are normal. 2) I have found that despite two Apply buttons on the "Suricata: Interface WAN - Rules: ____" page it syncs every change to router2 anyway, every time a rule is enabled. It seems slightly faster to turn off syncing but not several minutes faster (and then enable it at the end, which immediately syncs). 3) CARP syncs at every Suricata rule enable also , even though Suricata has its own sync. QUESTION: do I need the Suricata sync enabled if the CARP sync is enabled? 4) If I disable the CARP configuration sync (leaving state sync enabled) the super slow page loads go away for a while. However they come back so it does not 100% fix the problem of the several-minute page loads. 5) Occasionally, clicking on the Enable icon sends me directly to the router's index.php page as if something crashed. I would say it is rare, but just now it happened 4 times inside of a few minutes. It can happen even if I wait a couple minutes after the page loads before clicking an Enable icon. What would cause this redirect? Shouldn't pfSense show an error page if an error is happening? 6) I started on pfSense 2.2.5 and upgraded both routers to 2.2.6 since it said it fixed some sync issues. On at least two occasions, with 2.2.6, I start getting "unread notice" alerts for sync errors, and can't connect to the web GUI on router2. Connecting to its console and choosing "Restart webConfigurator" (option 11) fixes both issues, as if the web browser crashed. 7) I don't know if this is relevant but when each and every CARP sync happens, router2 logs the following. The 192.168.199.1 IP address is in the tunnel network for OpenVPN, which is not connected. Jan 12 00:39:47 php-fpm[26893]: /rc.start_packages: Restarting/Starting all packages. Jan 12 00:39:46 check_reload_status: Starting packages Jan 12 00:39:46 php-fpm[26893]: /rc.newwanip: pfSense package system has detected an IP change or dynamic WAN reconnection - -> 192.168.199.1 - Restarting packages. Jan 12 00:39:46 check_reload_status: Reloading filter Jan 12 00:39:46 php-fpm[26893]: /rc.newwanip: rc.newwanip: on (IP address: 192.168.199.1) (interface: []) (real interface: ovpns1). Jan 12 00:39:46 php-fpm[26893]: /rc.newwanip: rc.newwanip: Info: starting on ovpns1. Jan 12 00:39:45 check_reload_status: rc.newwanip starting ovpns1 Jan 12 00:39:45 kernel: ovpns1: link state changed to UP Jan 12 00:39:44 check_reload_status: Reloading filter Jan 12 00:39:44 kernel: ovpns1: link state changed to DOWN Jan 12 00:39:44 php-fpm[19360]: /xmlrpc.php: Resyncing OpenVPN instances. Jan 12 00:39:44 php-fpm[19360]: /xmlrpc.php: ROUTING: setting IPv6 default route to [IPv6 WAN gateway] Jan 12 00:39:44 php-fpm[19360]: /xmlrpc.php: ROUTING: setting default route to [IPv4 WAN gateway] Jan 12 00:39:44 check_reload_status: Reloading filter Jan 12 00:39:44 check_reload_status: Syncing firewall * small JavaScript tip: define a function for document.getElementById like so and it will save a lot of repeated text on a page that big: function x() { return document.getElementById(arguments[0]); } -- Steve Yates ITS, Inc. _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold