Suricata 5.04_2 Interfering with Gaming?
-
Anyone else notice issues with Suricata and gaming? I have been having a lot of issues this year with students getting game disconnects while using certain popular games and Suricata turned on. Have noticed it primarily with PC gamers. It is difficult to troubleshoot as it does not happen right away usually, but several minutes into a game. Some of the games with issues:
Apex Legends (EA servers) Get a message "Error Connection to server timeout out"
Rocket League (Epic)
Overwatch (Blizzard)This is on a college network. Fall 2020 Session was fine running pfSense 2.4.5p1 and Suricata 5.0.2_2 . Spring 2021 Session has the issues running pfSense 2.4.5p1 and Suricata 5.0.4_2.
If I turn Suricata off the problems go away. No issues with bandwidth -- typical usage is around 300-400 Mbps with headroom to 800 Mbps+.Suricata is set to block only P2P. It does not appear that any of the games getting disconnects are using P2P nor getting blocked. Again this was not a problem with 5.0.2_2. Otherwise everything else seems to work fine. The upgrade to 5.0.4_2 occurred due to an SSD upgrade with a pfSense reload.
-
You are not providing enough information in your post. Which specific rules are alerting and triggering the blocks? I assume you must have blocking enabled. If so, then which mode: Legacy Blocking or Inline IPS?
You will need to examine the ALERTS tab entires to determine which rules are triggering and impacting which IP addresses.
If you identify the rules that are alerting, and you consider them to be false positives, then you can suppress those alerts or just disable those particular rule SIDs.
-
Using Legacy mode. I have not been able to find any alerts that correspond to the the gamer disconnects. I have all rules disabled except emerging-p2p. Using only the free rules with no registration required. I have not been able to find any alerts, blocks, or logs that correspond to the disconnects so far.
Is there any way to go back to 5.0.2_2?
-
@supertechie said in Suricata 5.04_2 Interfering with Gaming?:
Using Legacy mode. I have not been able to find any alerts that correspond to the the gamer disconnects. I have all rules disabled except emerging-p2p. Using only the free rules with no registration required. I have not been able to find any alerts, blocks, or logs that correspond to the disconnects so far.
Is there any way to go back to 5.0.2_2?
No, there is no method for going backwards. But nothing changed in the package itself that would alter what is blocked. That is 100% determined by the enabled rules. Likely one of the recent rules update is your problem.
Where are you running Suricata? On the WAN or a LAN interface? It should be placed on internal LAN interfaces. That way the IP addresses on the ALERTS tab will be pre-NAT and thus correspond to actual local hosts. If you run it on the WAN, then all local IP addresses will show up as just the firewall's public WAN IP.
I can't understand why you can't determine what is blocking unless you have a super busy network and your LOGS MGMT settings are causing your ALERTS log to get rolled over very quickly. You should be able to scroll around on the ALERTS tab and find the IP in an alert entry of a local host (one of the gamer's PCs). Then see what rule triggered that alert.
-
Using Suricata on the WAN as I want the ability to turn on rules on the fly if needed that would apply to the WAN only. I have played with Suricata using the LAN side but am not using it at present. However, in the Alerts tab and blocks tab I only show ET_P2P rule blocks (which is how I have it configured). I have monitored gaming sessions and do not see any new blocks occur when the students get kicked out. I can try again, but it seems to me more of an issue of just having Suricata on than a particular rule. Which is odd because everything else seems to be working fine. Again also odd as I did not have a problem with 5.0.2_2.
-
@supertechie said in Suricata 5.04_2 Interfering with Gaming?:
Using Suricata on the WAN as I want the ability to turn on rules on the fly if needed that would apply to the WAN only. I have played with Suricata using the LAN side but am not using it at present. However, in the Alerts tab and blocks tab I only show ET_P2P rule blocks (which is how I have it configured). I have monitored gaming sessions and do not see any new blocks occur when the students get kicked out. I can try again, but it seems to me more of an issue of just having Suricata on than a particular rule. Which is odd because everything else seems to be working fine. Again also odd as I did not have a problem with 5.0.2_2.
If no blocks show up on the BLOCKS tab that correspond to one of the remote host IP addresses the gamer was interacting with, then Suricata is not to blame. It physically is not capable of blocking traffic itself. In Legacy Mode, it hands IP addresses to the firewall engine which then puts them in a
pf
table called snort2c. You can examine the contents of that table under DIAGNOSTIC > TABLES from the pfSense menu. If you don't see the remote host's IP in the table, then Suricata did not block it.I think you either have something else going on not related to Suricata, or you are misreading what the ALERTS and BLOCKS tabs are showing you. You can't get a block of traffic by Suricata unless you have both a corresponding alert on the ALERTS tab AND the blocked IP shows up on the BLOCKS tab (and in that snort2c table).
Gaming servers very well could be behind load balancers that will show up as different IP addresses for each connection. That would complicate identifying the particular host.
-
To follow up with your suggestion, I'll maybe try turning off groups of the P2P rules and testing to see if a problem rule can be found. It will take me a while to do this testing, but I'll get back with my results when I can. Thanks for the suggestion!
-
Still doing testing, but it looks like this rule has been causing issues:
2003315 udp 1024:65535 $HOME_NET 1024:65535 ET P2P Edonkey Search Reply
Any history of change on this rule?
I'll post more later if I narrow down any other rules.