SG3100 limitations
-
@Burner27 I'm not sure I agree that there's no reason for a home user to run IDS/IPS. The main use case being it will detect (and block, if so configured) outbound traffic from a compromised machine on your network.
One more layer of protection -- definitely a layer of last resort, but really useful. Ransomware is really rampant and on the rise, and running frequently updated signatures on Snort can catch emergent threats, whether or not your family has turned off their annoying virus protection. ;-). Cheers.
-
@Burner27 I have an SG3100 running pfBlocker with GEO IP + Snort on the 2 WAN and I have 4 separate VPNs, on average I get 12 users connected simultaneously.
Until it slows down, but between 3 to 8 days it restarts, like @Burner27 commented, I realized that when I used it without pbfblocker and snort, it never restarted.
I thought it was temperature as @tjcooks4829 also commented, but it's not, because he's in a UPS and a room with reduced air conditioning, I believe it's a lot for his own capacity.
I'm on version 2.4.1-p1, when it came out to 21.01 I researched it and found that there were a lot of errors I ended up leaving. I saw that it's already at version 21.05 I'm working up the courage to update.
in summary I think the SG3100 is pretty overloaded for what I use, but unfortunately now I can't buy an SG5100.greetings
-
removed auto update from snort and pfblcoker. I will monitor if without autoupdate the reboot will stop
-
I am not sure where a i read it, but it was mentioned the code for pfSense is 64bit and running it on a 32bit CPU like the SG3100 has inside it has been 'challenging'. I have since moved away from my SG3100 in favor of a device that is more robust. Not saying I dont have any issues, but I have fewer issues running it now on the new hardware.
-
@burner27 I intend to switch to the SG5100 in the future
-
@luketa I didnt go that route.
-
for knowledge, i updated SG 3100 to version 21.05, updated successfully, no errors, but snort does not start.
-
If you are running pfBlocker, Snort or Suricata in 21.05 you will be hitting this bug on the 3100:
https://redmine.pfsense.org/issues/11466You should apply the patch listed there:
https://redmine.pfsense.org/attachments/download/3707/patch-disable-pcrejit-arm.diffI would also recommend running Suricata instead of Snort right now. I'm running that here without issue.
Steve
-
@stephenw10 I applied the patch, I have 2 WAN.
WAN2 started the snort service,
WAN1 is processing and does not start.
Would you have something to do to normalize?I would like to continue with snort.
thanks
-
Check the Snort logs for ruleset errors.
Usually (on other platforms!) if it doesn't start like that it's because you are loading signatures for a pre-processor that isn't enabled. The logs are pretty clear when that happens.
Steve
-
@stephenw10
tried everything to work snort, it really won't.I installed Suricata and it's running 100% on version 21.05
thank you all.
-
Yeah, I would use Suricata at least until this is resolved.
I opened a separate bug for the Snort issue as people were confusing it with the PHP issue and it's not the same problem at all: https://redmine.pfsense.org/issues/12157
Steve
-
@luketa said in SG3100 limitations:
@stephenw10
tried everything to work snort, it really won't.I installed Suricata and it's running 100% on version 21.05
thank you all.
Glad Suricata is working well for you. The Snort problem is a tough one to solve. Understanding the root cause of the error requires being skilled in the art of assembly language level programming in the ARM CPUs. It has to do with the specific CPU opcodes the compiler chooses to employ when converting certain memory operations coded in C into the binary CPU opcode equivalents.
