Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - atrotter01

Pages: [1]
IDS/IPS / Re: Snort + SG-3100 = exited on signal 10
« on: January 30, 2018, 06:03:54 pm »
OK, the binary that is installing is not correct.  I will need to get with the pfSense team to find out why.

In my case, because I had manually installed my "fixed" binary package during testing, when I removed the Snort package from my SG-3100 the actual binary was not getting deleted.  Thus even though I was removing the package and installing it fresh during subsequent testing today, my actual binary was not getting changed and my test version binary was being used again.  That's why it worked for me.  So the fix really works, but for some reason the build of the binary on the Netgate respository is not including my "fix".

EDIT UPDATE: found out after some investigation that one of my patch files got omitted when everything was cherry-picked into the Netgate/pfSense repository.  I've notified the pfSense team and they should get things squared away soon.  When I get confirmation of the fixed binary being posted, I will post a message to this thread.  SG-3100 users can then once again remove and reinstall the Snort package to get the fixed binary.

Sorry for the trouble ...  ;).  I knew it was working on my end, so when I saw reports here to the contrary I was baffled at first.  Glad to figure out what actually happened.


Thanks for the update! I am glad it was something simple and not another issue!  :)

IDS/IPS / Re: Snort + SG-3100 = exited on signal 10
« on: January 29, 2018, 08:51:43 pm »
It looks like I am somehow getting a different binary.  I am running 2.4.2_1 of pfSense.

[2.4.2-RELEASE][admin@pfsense]/root: ls -lusr/local/bin/snort
-r-xr-xr-x  1 root  wheel  1377676 Jan 25 22:20 /usr/local/bin/snort
[2.4.2-RELEASE][admin@pfsense]/root: md5 /usr/local/bin/snort
MD5 (/usr/local/bin/snort) = 35d9aa2e1e46543242a4c404f015fc8d

Running snort --help gives me this version:

Version GRE (Build 268) FreeBSD

Package manager shows installed with snort-

IDS/IPS / Re: Snort + SG-3100 = exited on signal 10
« on: January 29, 2018, 08:43:10 pm »
Do you have any other packages, or anything else, setup on your test SG-3100?  There must be some difference between mine and your's that causes mine to crash.  Mine is used as my primary router, so I do have LAN and WAN configured. I also have many other packages installed.  If you have any other suggestions I am happy to try anything to get it working.

IDS/IPS / Re: Snort + SG-3100 = exited on signal 10
« on: January 29, 2018, 06:34:52 pm »
This crash is likely related to having a rule enabled that needs the preprocessor.  I am able to get it to run but only with that option disabled and minimal rules enabled.

IDS/IPS / Re: Snort + SG-3100 = exited on signal 10
« on: January 29, 2018, 06:09:16 pm »
Yes, this is how I originally gave it a try.  Now I've gone as far as uninstalling, completely removing the snort section from config.xml to make sure no settings could be carrying over, then reinstalling.  I still experience crashing.

IDS/IPS / Re: Snort + SG-3100 = exited on signal 10
« on: January 29, 2018, 05:43:16 pm »
I upgraded to the new snort package released in pfSense package manager,  I am still seeing issues with crashing.  I did a complete removal and reinstall.

Jan 29 16:59:31   kernel      mvneta0: promiscuous mode disabled
Jan 29 16:59:31   kernel      pid 84107 (snort), uid 0: exited on signal 10
Jan 29 16:58:44   snort   84107   Commencing packet processing (pid=84107)

Could you try going to the interface settings in Snort, then <Interface> Preprocs, then under "Stream5 Target-Based Stream Reassembly", uncheck "Track and reassemble TCP sessions. Default is Checked.".  Save this and see if the crashes stop... after some troubleshooting with mine this is the only way I could get it to start.

IDS/IPS / Re: Snort Package v3.2.9.6 - Release Notes
« on: January 29, 2018, 05:28:53 pm »
Thanks, I did try that, and just tried it again as well.  I removed snort, manually removed the cached package, reinstalled.  I then updated the rules, created a LAN interface, and started it.  No other settings were changed and it crashed

IDS/IPS / Re: Snort Package v3.2.9.6 - Release Notes
« on: January 26, 2018, 04:54:35 pm »
Should this include the fixes for the SG-3100 / ARM issue?  I am still getting bus error crashes:

Code: [Select]
   ,,_     -*> Snort! <*-
  o"  )~   Version GRE (Build 268) FreeBSD
   ''''    By Martin Roesch & The Snort Team:
           Copyright (C) 2014-2017 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.8.1
           Using PCRE version: 8.40 2017-01-11
           Using ZLIB version: 1.2.11

[2.4.2-RELEASE][admin@pfsense]/root: /usr/local/bin/snort -R 9151 -q --suppress-config-log -l /var/log/snort/snort_mvneta19151 --pid-path /var/run --nolock-pidfile -G 9151 -c /usr/local/etc/snort/snort_9151_mvneta1/snort.conf -i mvneta1

Bus error

Edit - it looks like it starts if I disable "Track and reassemble TCP sessions. Default is Checked." under the Stream5 preproc.

Traffic Shaping / Re: playing with fq_codel in 2.4
« on: December 07, 2017, 05:45:38 pm »
It's a dual core ARM v7 Cortex-A9 @ 1.6 GHz with NEON SIMD and FPU. I think I am either hitting some odd issue with traffic shaping on ARM architecture or a CPU limitation.

Traffic Shaping / Re: playing with fq_codel in 2.4
« on: December 07, 2017, 05:30:08 am »
John thanks, it's asymmetrical, not symmetrical.  :) The connection maxes out at about 940/42.

Traffic Shaping / Re: playing with fq_codel in 2.4
« on: December 06, 2017, 03:57:12 pm »
I tried leaving the masks off and that didn't seem to make a difference.  Then I tried disconnecting everything from the firewall except the laptop that I am using to test with, so that I could ensure nothing else was on the network.  That didn't make a difference either.  When the limiters are not enabled I can run a sustained 60 second download test and hit gig speeds 95% of the time, other than occasional dips.  When I enable the limiters I can't get over the 650ish mark.

I can run top from an SSH session and it looks to be pegging one of the cores both with and without fq_codel so I can't really tell one way or the other there.

Traffic Shaping / Re: playing with fq_codel in 2.4
« on: December 05, 2017, 07:06:12 pm »
I am trying to set this up on an SG-3100 with an asymmetrical gigabit connection.  I setup two queues and am configuring them as follows:

Code: [Select]
ipfw pipe 1 config  bw 920Mb
ipfw sched 1 config pipe 1 type fq_codel
ipfw queue 1 config sched 1 mask dst-ip6 /128 dst-ip 0xffffffff

ipfw pipe 2 config  bw 40232Kb
ipfw sched 2 config pipe 2 type fq_codel
ipfw queue 2 config sched 2 mask src-ip6 /128 src-ip 0xffffffff

On the firewall side I am using a floating rule to apply the queues.  This all works, with the floating rule enabled I get A / A+ on the DSL Reports speed test, whereas without the rule I get a C at best for bufferbloat.  The issue I am having is with the rule enabled, I get at most ~650Mb/s bandwidth downstream, I have no problem hitting 940 with the rule disabled.  Am I running into a CPU limitation of the SG-3100? Is there anything I can try to tweak?

Pages: [1]