Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - Teken

Pages: [1] 2
1
More insight is going to take some additional info from logs and recreating the event more often than every 29 days.

If you are game, change the interval back to every 6 or 12 hours and change the time for the update to coincide with a period when you are available to login to the firewall and see what's happening and grab some log info during the issue.  Specifically I need to see the system log entries during the time the loss of connectivity is happening along with your suricata.log file for the interface.

The system log for pfSense is under STATUS >> SYSTEM LOGS.  You can find the Suricata log I need under the LOGS VIEW tab and then select the suricata.log file in the drop-down selector.  The system log will likely contain the most relevant info.  Just remember to capture the info during the time the connectivity problem is happening.  Feel free to obfuscate IP addresses if you want to.

Bill

Hi Bill,

Apologies for the tardy reply I've been on the road for work for several weeks. Upon my return I shall follow your suggestions and it should be noted since moving the update interval to 29 days. Nothing bad has happen to any network appliance in the home. Since my last reply that very much affirms this issue is directly related to the update.

Thank You!

2
Hello Bill,

When the system is updating all networking is halted specifically anything to do with WiFi. If I'm watching Netflix on my LG smart TV the only way to restore the connection is to cycle power to the TV. This same behavior is seen on two smart weather stations I am beta testing.

On those specific devices I can see the hubs showing a red LED.

A red LED indicates on those specific pieces of hardware that the hub is not able to connect to the WiFi network / communicate to the weather servers.

The only remedy is to cycle power to those two hubs to establish a WiFi connection. Since I started this thread this problem has not reappeared due to the fact I have pushed the Suricata update to 29 days etc.

Any further insight is greatly appreciated!

3
Block Offenders is not checked on either LAN / WAN interface. The Micro PC has four on board Intel WG82583 NIC's.

Thank You! 

4
@Gertran is on the right track.  Suricata needs a good bit of CPU horsepower, and the more rules you enable the more horsepower it needs.  That needed horsepower includes a pretty fast and capable CPU along with plenty of RAM.  I would say 2GB is cutting it close on RAM.  I would rather have at least 4GB of RAM for Suricata with a lot of rules enabled.

Are any other packages running on this firewall?  That can further add to load, and if you have another package that needs to download daily updates (such as IP lists or something), then perhaps there is a conflict with the update jobs ???

Bill

Hello Bill,

This is a brand new Micro PC I propped up in late 2017 and the hardware specification are these:

Intel(R) Atom(TM) CPU E3845 @ 1.91GHz
4 CPUs: 1 package(s) x 4 core(s)
AES-NI CPU Crypto: Yes (active)

The amount of RAM might be an issue.  It really depends on the number of enabled rules.  When the scheduled updates run, Suricata basically has to load both sets of rules into memory at the same time, then when everything is loaded up it switches over to using the new rules in RAM and discards the old ones.  So for a brief period of time you need almost twice as much RAM as compared to the rest of the running time.  With a limited amount of RAM to start with, this could result in memory paging (the swapping in and out to disk of some RAM content).  Your power spike is simply the physical evidence of the much higher CPU workload during the task.  A higher CPU workload is normal for rule updates.

Bill

Hello Bill,

My apologies I didn't state how much RAM I have on board. This Micro PC has 8 GB of RAM which should be more than plenty to run pfSense.

5
@Gertran is on the right track.  Suricata needs a good bit of CPU horsepower, and the more rules you enable the more horsepower it needs.  That needed horsepower includes a pretty fast and capable CPU along with plenty of RAM.  I would say 2GB is cutting it close on RAM.  I would rather have at least 4GB of RAM for Suricata with a lot of rules enabled.

Bill

This is way i point a bad hour to make updates. To me 0:30 is to soon, is this the default?. This updates should be made when less people is connected.


...
Can you provide a image capture as to where this is I can't find it.
...

Image annexed.

@bmeeks is here you should have a good feedback, is the maintainer and the expert.

I do no see IPS Mode in the 2.4.2 P1 firmware release.

6
@Gertran is on the right track.  Suricata needs a good bit of CPU horsepower, and the more rules you enable the more horsepower it needs.  That needed horsepower includes a pretty fast and capable CPU along with plenty of RAM.  I would say 2GB is cutting it close on RAM.  I would rather have at least 4GB of RAM for Suricata with a lot of rules enabled.

Are any other packages running on this firewall?  That can further add to load, and if you have another package that needs to download daily updates (such as IP lists or something), then perhaps there is a conflict with the update jobs ???

Bill

Hello Bill,

This is a brand new Micro PC I propped up in late 2017 and the hardware specification are these:

Intel(R) Atom(TM) CPU E3845 @ 1.91GHz
4 CPUs: 1 package(s) x 4 core(s)
AES-NI CPU Crypto: Yes (active)

7
Hi,

Suricata, when updating uses some Watts ... never saw stats that showed  increased system usage expressed by Watts before.
What about process usage ? RAM usage ? Do they follow the Watt usage ?

Although firewalls like this https://store.netgate.com/SG-1000.aspx shouldn't maybe not using heavy packages as Suricate (I might be wrong here), I wonder what you use for hardware.

I haven't been around when the system shuts down the network due to work flow. In the near future I'll schedule it for a time I'm around and confirm what the process / RAM usage is. I'm sure lots of folks haven't ever seen a energy chart placed on this forum to describe a problem. I only did so because it helped illustrate the factual data of when the time event happen and the correlation was a increase in power due to more processing power being called upon.

I know what every single device and circuit consumes, for how long, frequency of, and if there are any out of band readings in the home. If there is my systems shut them down and send alerts to me indicating when and where.

8
Hi.

Is 0:30 the best update hour? mine is on 4 or 5 AM.

Have you enable or disabled "Live Rule Swap on Update"? on Global settings? what are your interface "IPS Mode" (Goto and edit interface, section "Alert and Block Settings")?

The time could really be what ever I simply left it at the default value. The problem is not just because the network goes out but when it happens I have several Alpha / Beta pieces of hardware that have a really hard time coming back on line once this update happens. I literally have to hard reboot these two devices by removing power remotely via my web hosted switch.

This was NEVER an issue prior to this release  . . .

I did note the option of *Live Rule Swap on Update* but again I never used it in the past. I see no reason to use this as a solution given the previous release operated just fine. If no one is going to take this issue seriously and address it obviously I will have to use that option moving forward.

Quote
what are your interface "IPS Mode" (Goto and edit interface, section "Alert and Block Settings")?

Can you provide a image capture as to where this is I can't find it.

Thank You!

9
Since updating to the last official 2.4.2 P1 release every single day at 12:30 AM and 6:30 PM my entire network shuts down. Upon further audit and review I  found when ever the Suricata program is updating its signatures the system will be locked up doing something which literally kills all network connections in my home.  >:(

Since I update based on six hour intervals starting at 12:30 AM each day it was easy to track. As seen in this image capture when Suricata is updating its data base the load increases several watts from its base 8 watts RMS at 12:30 AM & 6:30 PM.

I have since changed the setting to 28 days until the next scheduled update until such time root cause has been identified and resolved by the development team.

Moving the update period has completely solved this network down issue for me . . .

Thank You!


10
2.4 Development Snapshots / Re: Disk Usage Space Error
« on: December 20, 2017, 11:49:59 am »
I have no clue what's happening but the *Disk Usage* has dropped off from 21% to 11~ 12%.  :o

11
2.4 Development Snapshots / Re: Disk Usage Space Error
« on: December 12, 2017, 04:00:40 pm »
Speaking of logs, I just had a silly idea.  Wonder how hard it would be to make a package that maintained extensive logs offsite on something like google docs or microsoft docs etc?

I would think using the SysLog server add on would be the ticket, no?  :)

12
2.4 Development Snapshots / Re: Disk Usage Space Error
« on: December 12, 2017, 03:43:26 pm »
If you're using ZFS and have a snapshot or some other FS level object that references old blocks, "deleting" files does not clear out the data.

In your example that makes perfect sense but that doesn't explain how *Prior* to deleting any and all logs. Say it was at 40% disk utilized and when I selected delete all historic logs, charts, graphs, etc.

The system actually displayed the usage as increasing to say 41~45% and fluctuated.

A day later upon logging in the disk space was back down to 20% so this tells me there is UI / Process bug. A lay person would expect one of two outcomes which are the following:

- Delete: Disk space is immediately reclaimed and reflected
- Delete: Minimal disk space is reclaimed and reflected based on your example

In no way would a lay person expect to see a delete to cause the disk space to decrease in capacity and increase in initial space.  :o  :-[   

13
2.4 Development Snapshots / Re: Disk Usage Space Error
« on: December 12, 2017, 12:53:00 pm »
Agreed and when I checked the different tabs and their settings all of them were defaulted to over write upon a full state. The biggest drop was clearing out the charts and graphs in ntopng, bandwidth d, etc.

I'll circle back when I am on site to check the console to see what folders are the largest.

Thank You!

14
2.4 Development Snapshots / Disk Usage Space Error
« on: December 11, 2017, 01:48:48 pm »
The other day I decided to delete any and all logs in the system. Once done the disk usage indicator in the dashboard actually increased in disk space?!?  :-\  :-[ A little surprised I once again went through what ever tabs to delete the logs and charts. Again the disk space continued to climb to 41% disk space consumed??

This afternoon I logged in and the system is now back to what I expected to see which is 20%.

I have to gather there is a UI bug that's linked to some kind of process in the back ground. I sat and waited for what seemed like hours before logging out because after three plus hours the disk space usage either was climbing or it didn't drop back down to what I expected to see.

Thank You!   

15
2.4 Development Snapshots / Re: Two Error Messages
« on: December 10, 2017, 09:08:02 pm »
just fyi: pfBlockerNG 2.1.2_2 includes that patch.

Noted, and thank you!

Pages: [1] 2