I've been working on implementing Suricata (package 2.1.9.1) on a CARP
dual router setup, and Suricata is set to sync to router2 as well. I have
several issues, the worst of which ends with me unable to connect to router2
via a browser (and of course sync fails).
1) Agonizingly slow page loads.
I'm trying to enable only certain emerging-web_specific_apps.rules rules. I
disabled all rules, and am going through and enabling certain ones that apply.
There are several thousand rules in that category, so it is a big page*. If I
enable a rule, sometimes the page reloads in a few seconds. Sometimes it takes
several minutes. Sometimes I can enable 20 in a row, fast, and then it slows
down again. I don't understand the discrepancy. It is so slow I can watch the
table draw if I scroll to the bottom of what's loaded. While it's loading,
other pages from the router load fine, e.g. the index.php page loads
immediately and shows 0% CPU usage, 30% memory usage (it's a 4 CPU VM with 2 GB
RAM, on a 100 Mbps connection). Other connections *through* this router are
normal.
2) I have found that despite two Apply buttons on the "Suricata: Interface WAN
- Rules: ____" page it syncs every change to router2 anyway, every time a rule
is enabled. It seems slightly faster to turn off syncing but not several
minutes faster (and then enable it at the end, which immediately syncs).
3) CARP syncs at every Suricata rule enable also , even though Suricata has its
own sync. QUESTION: do I need the Suricata sync enabled if the CARP sync is
enabled?
4) If I disable the CARP configuration sync (leaving state sync enabled) the
super slow page loads go away for a while. However they come back so it does
not 100% fix the problem of the several-minute page loads.
5) Occasionally, clicking on the Enable icon sends me directly to the router's
index.php page as if something crashed. I would say it is rare, but just now
it happened 4 times inside of a few minutes. It can happen even if I wait a
couple minutes after the page loads before clicking an Enable icon. What would
cause this redirect? Shouldn't pfSense show an error page if an error is
happening?
6) I started on pfSense 2.2.5 and upgraded both routers to 2.2.6 since it said
it fixed some sync issues. On at least two occasions, with 2.2.6, I start
getting "unread notice" alerts for sync errors, and can't connect to the web
GUI on router2. Connecting to its console and choosing "Restart
webConfigurator" (option 11) fixes both issues, as if the web browser crashed.
7) I don't know if this is relevant but when each and every CARP sync happens,
router2 logs the following. The 192.168.199.1 IP address is in the tunnel
network for OpenVPN, which is not connected.
Jan 12 00:39:47 php-fpm[26893]: /rc.start_packages: Restarting/Starting
all packages.
Jan 12 00:39:46 check_reload_status: Starting packages
Jan 12 00:39:46 php-fpm[26893]: /rc.newwanip: pfSense package system
has detected an IP change or dynamic WAN reconnection - -> 192.168.199.1 -
Restarting packages.
Jan 12 00:39:46 check_reload_status: Reloading filter
Jan 12 00:39:46 php-fpm[26893]: /rc.newwanip: rc.newwanip: on (IP
address: 192.168.199.1) (interface: []) (real interface: ovpns1).
Jan 12 00:39:46 php-fpm[26893]: /rc.newwanip: rc.newwanip: Info:
starting on ovpns1.
Jan 12 00:39:45 check_reload_status: rc.newwanip starting ovpns1
Jan 12 00:39:45 kernel: ovpns1: link state changed to UP
Jan 12 00:39:44 check_reload_status: Reloading filter
Jan 12 00:39:44 kernel: ovpns1: link state changed to DOWN
Jan 12 00:39:44 php-fpm[19360]: /xmlrpc.php: Resyncing OpenVPN
instances.
Jan 12 00:39:44 php-fpm[19360]: /xmlrpc.php: ROUTING: setting IPv6
default route to [IPv6 WAN gateway]
Jan 12 00:39:44 php-fpm[19360]: /xmlrpc.php: ROUTING: setting default
route to [IPv4 WAN gateway]
Jan 12 00:39:44 check_reload_status: Reloading filter
Jan 12 00:39:44 check_reload_status: Syncing firewall
* small JavaScript tip: define a function for document.getElementById like so
and it will save a lot of repeated text on a page that big:
function x() {
return document.getElementById(arguments[0]);
}
--
Steve Yates
ITS, Inc.
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
