Hey all, I’ve been trying to figure out why enabling IPS kills my network. I have some services I host and would like to get some sort of IPS running. I used to have Snort running through pfSense and didn’t experience issues like this.
Edit: as an update to this, I resolved it by installing the realtek plugin.
What RAM does this “beelink” have (I’ve never heard of them)?
IPS can be very memory intensive if you add lots of rules, regardless of how their behaviour is set. (You can check the table size)
Also, what else do you have enabled? Do you have ZenArmour also installed and running? That is another memory hungry app (it does the same thing, so either use ZenArmour or IPS, not both).
Finally, do you have offloading disabled for the Interfaces? Interfaces ->Settings you need to disable Hardware CRC, TSO and LRO at the least for IPS to work. You might have to disable VLAN HW filtering as well.
These last settings are probably the most common reason for IPS failing. Drivers are almost always broken for these functions, particularly in HardenedBSD/FreeBSD. IIRC these are off by default in pf, but on in OPN.
That’s a good point on the memory. I actually installed with ZFS on root instead of UFS like I had on pfSense, which uses more RAM. All the hardware offloading is disabled so I think RAM is the culprit as I’ve only got 8gb in there.
It sounds like your IPS rules are wrong, but we would need more info. Rules, network topology and flow, too many variables without more info.
I don’t think it’s the IPS rules themselves because they were set to Alert only. I just enabled a few of the standard rule sets that are available.
I’m using a Beelink GK55 and seemed to be fine with pfSense.
As for the topology, I’ve got one ipv4 WAN gateway on one NIC, and the other NIC is for the LAN which connects through a couple UniFi switches. There are 3 VLANs as well.