SG3100 limitations

bmeeks

@Burner27 said in SG3100 limitations:

I thank you for looking it over. The only thing I can say is it happens only when SNORT is installed. Even SNORT by itself.

All of the dates in that log snippet were from July 10. Is the date on your firewall incorrect, or is the log really that old? What has happened in the 11 days since those log entries were created? Today is July 21, and those entries were from back on July 10 (unless your firewall's date is 11 days off).

Burner27

I can provide you with more log entries, but basically after I installed SNORT on July 10th, and it rebooted 5 minutes later, i removed the SNORT package (and used the option to remove all settings). I then reinstalled it, and I only configured it with a few lists. I only had it update the lists, and did not assign it to an interface to see if that would run ok. I let it run for 5 days and did not have any issues. I then followed this tutorial: https://docs.netgate.com/pfsense/en/latest/ids-ips/setup-snort-package.html

It was configured for the LAN interface only. It was also running fine for about 4 days after that when I started reading articles about 'Is SNORT/Suricata needed for a home user?' Most of them in the responses (including the ones you commented on) were a resounding no. Being new to pFSense and best practices (also taking into account the hardware in the SG3100), i thought it would be best to remove it and focus on packages that would be effective for home use. I only have 1 server open to the world and it is a VM of Minecraft.

Now you are completely up to date!

bmeeks

@Burner27 said in SG3100 limitations:

I can provide you with more log entries, but basically after I installed SNORT on July 10th, and it rebooted 5 minutes later, i removed the SNORT package (and used the option to remove all settings). I then reinstalled it, and I only configured it with a few lists. I only had it update the lists, and did not assign it to an interface to see if that would run ok. I let it run for 5 days and did not have any issues. I then followed this tutorial: https://docs.netgate.com/pfsense/en/latest/ids-ips/setup-snort-package.html

It was configured for the LAN interface only. It was also running fine for about 4 days after that when I started reading articles about 'Is SNORT/Suricata needed for a home user?' Most of them in the responses (including the ones you commented on) were a resounding no. Being new to pFSense and best practices (also taking into account the hardware in the SG3100), i thought it would be best to remove it and focus on packages that would be effective for home use. I only have 1 server open to the world and it is a VM of Minecraft.

Now you are completely up to date!

So if I understood what you wrote, you installed Snort initially on July 10 and got a reboot 5 minutes later. So you removed it and installed it again but without assigning an interface that time. It ran fine for 5 days, and then you configured it to run on the LAN and it ran fine for 4 more days. Finally, you decided to remove it again after conversations and responses to this forum thread.

So I'm not seeing your logic from above that implicates Snort as the cause of the single random reboot. Do you mean you had other random reboots during the 5-day and 4-day runs, or did it run without issue during those times? If no issues for that many days, I would find it hard to blame Snort (or any other of the installed packages) as the cause of the reboot on July 10. I'm not trying to dodge the issue, but the evidence you provided in no way implicates any package you have installed as the cause of the reboot - to be honest. You had an apparent random reboot on July 10 at 14:29:29. If that is the only time, then I'm not seeing your issue -- unless I'm missing something in what your wrote. While a random reboot is certainly not an expected thing, I see nothing that implicates any package in that. If it was Snort, I would expect to see reboots during those 5-day and 4-day periods when you said it ran without issues.

Burner27

The only difference between the two SNORT installs was the one that caused the reboots was the configuration I followed from Lawrence Systems' Youtube video. This tutorial: https://docs.netgate.com/pfsense/en/latest/ids-ips/setup-snort-package.html did not cause any reboots. The configurations are different. Is it possible a configuration could cause the SG3100 to reboot? When tried SNORT it was the only package installed other than the pfsense software itself. I agree with you regarding the SNORT package itself isnt causing the issue, i think i am doing something wrong?

I removed it because most of the people in this thread advised against it since I am running it at home and I really do lack the knowledge to understand it correctly. This is why I ask the experts (like yourself) to educate me. I didnt know you were the creator of the application, and I do appreciate you taking the time to answer my questions/troubleshoot this issue.

bmeeks

@Burner27 said in SG3100 limitations:

The only difference between the two SNORT installs was the one that caused the reboots was the configuration I followed from Lawrence Systems' Youtube video. This tutorial: https://docs.netgate.com/pfsense/en/latest/ids-ips/setup-snort-package.html did not cause any reboots. The configurations are different. Is it possible a configuration could cause the SG3100 to reboot? When tried SNORT it was the only package installed other than the pfsense software itself. I agree with you regarding the SNORT package itself isnt causing the issue, i think i am doing something wrong?

I removed it because most of the people in this thread advised against it since I am running it at home and I really do lack the knowledge to understand it correctly. This is why I ask the experts (like yourself) to educate me. I didnt know you were the creator of the application, and I do appreciate you taking the time to answer my questions/troubleshoot this issue.

No, I don't think the configuration would make a difference. The video you followed was primarily about configuring OpenAppID. That technology is a type of Layer 7 deep packet inspection (DPI). It can detect certain types of popular applications and alert on them. For example, it can detect most Facebook traffic, other types of social media applications and their traffic like Twitter and Instagram, and so forth. This is generally not useful at all for a home user because that kind of traffic is probably 90% or more of what traverses your network in the first place. Folks in your family use social media, and probably so do you. So why would you want to detect and block that? But if you are a major corporation or other business entity, you likely would not want all of your employees using social media apps on the company's time and dime ... . So you would want to detect and possibly block that kind of traffic so your employees did their assigned work instead of posting on Facebook or Instagram or reading Twitter feeds during work hours.

To be honest, I don't think Snort was the cause of your reboot at all. It is more likely to be perhaps a random hardware issue or even a short-lived power failure/dip that caused the hardware to reboot. The only issue I have ever seen Snort cause is a Signal 10 bus error, and those get logged in the system log. And they result in only the Snort process itself crashing. Nothing else is impacted and the firewall does not reboot. I see no evidence of that in your log.

You are fine without an IDS/IPS on a home network. The most important things for home network security are (in order of importance):

1. Keep all clients updated with the latest security hotfixes! That means installing all security updates as soon as practical after they are released.

2. Teach family members how NOT to be "click happy". This is especially important with emails that have embedded URLs and/or attachments. Doubly important when that email is from an unrecognized sender!

3. For all LAN client endpoints that have available anti-virus clients, install an AV product and keep it updated. For Microsoft stuff, the free built-in Windows tools are more than adequate; especially if you follow tip #1 above and keep your Windows machines patched.

Notice how none of these items involve your firewall? That's because in most home networks any firewall will have a default deny-all for unsolicited inbound traffic. That's very good basic security.

Now in your case you mentioned that you have an open gaming server (the Minecraft VM). That server absolutely needs to stay current with patches. And I would strongly recommend you move it to a DMZ network all by itself and isolate it to the maximum extent possible from your LAN and the other clients there. If that box is ever compromised, the other hosts on your LAN are then easy pickings for the hacker and nothing on your firewall can get in the way once the hacker owns your gaming server sitting right there on your LAN.

Burner27

I appreciate your thoroughness in your answer. I dont know if hardware issues get reported in the logfiles, but it would make sense. The SG3100 is connected to a UPS so it does get clean power. That doesnt mean the power brick itself isnt having an issue or something with the SSD/motherboard/ram could be the culprit. I will take your advice and move the Minecraft server to a DMZ for security and peace of mind.

Thanks again for all your advice and expertise!!

stephenw10

Yup, putting your server in a DMZ you can filter from the rest of your network is a very good call.

I would still consider limiting what source addresses can access it if you can. Even if that's using a geo-IP alias for North America it better than allowing access from anywhere.

Steve

Burner27

I don’t think I can set up a DMZ. The OPT1 interface is my backup WAN connection.

bmeeks

@Burner27 said in SG3100 limitations:

I don’t think I can set up a DMZ. The OPT1 interface is my backup WAN connection.

If you have (or get) a VLAN-capable managed switch, you can set up VLANs and get some isolation that way. Configured properly, VLANs are okay for what you need. Actual isolated hardware ports is the best, but you're not protecting NSA secrets or the nuclear missle launch codes.

stephenw10

You can configure the on-board switch on the 3100 to separate a port as a discrete interface via internal VLANs.

https://docs.netgate.com/pfsense/en/latest/solutions/sg-3100/switch-overview.html

Steve

bmeeks

@stephenw10 said in SG3100 limitations:

You can configure the on-board switch on the 3100 to separate a port as a discrete interface via internal VLANs.

https://docs.netgate.com/pfsense/en/latest/solutions/sg-3100/switch-overview.html

Steve

Yep! Forgot about that little tidbit of the SG-3100's capabilities.

Burner27

That guide was very helpful. I got the interface setup as its own VLAN and was able to setup the DHCP server on it as well. Should the firewall rules for the interface be the same setup as LAN?

bmeeks

@Burner27 said in SG3100 limitations:

That guide was very helpful. I got the interface setup as its own VLAN and was able to setup the DHCP server on it as well. Should the firewall rules for the interface be the same setup as LAN?

I would not expect them to be the exact same. The ideal goal would be for the Minecraft server to be completely cut-off from your LAN. But since I suspect you want to be able to play from a client device on your LAN, then you will need some rules on your LAN side to enable access to the DMZ side. Remember that in pfSense you put firewall rules on the ingress interface (so something like "source = LAN, dest = DMZ, allow" on LAN interface). In reality it would be best to lock that down to certain ports and protocols and even certain IP addresses if feasible.

On the DMZ side, you would want to generally block all unsolicited inbound access from the DMZ into your LAN. But I'm not familiar with Minecraft operation, so you may not be able to do that 100% (but I suspect you could). So something like this for 100% isolation: "source = DMZ, dest = LAN, deny" on DMZ interface.

To set your way of thinking, consider that DMZ and all servers in it to be the same as the Internet. In other words, the wild-west and evil and infected. Then base your firewall rules on the DMZ and LAN interfaces accordingly. Of course you still need the game server to function, so some amount of communications will have to be allowed. A fair amount of experimentation may be required to find the magical combination of maximum security and full functionality.

tjcooks4829

@bmeeks I had the random reboots running Snort on my SG-3100. About weekly, and generally during heavy activity (you know, right when you don't need a random reboot). Nothing in the logs, no panic, no crash, just a sudden and unexplained restart. I suspected overheat, but support said my 70°C temperature readings were fine and normal. That seems kind of high, especially since I had the thing isolated and ventilated pretty well.

I honestly don't think the hardware is up to the task, and even Netgate support... they didn't come right out and say that, but they did suggest that I try Suricata instead as it is much more CPU efficient than Snort.

I replaced my SG-3100 with a SG-5100 and the performance difference is significant, to say the least! I'm realizing that the divide between a plastic toy and a machine made of metal is right here between these two devices. I couldn't even get line speed transfers on SG-3100, and now I'm consistently able to get 920/920 speed test (nice low latency too 3ms/4ms unloaded/loaded) on my 1000/1000 fiber connection.... On the SG-3100 speed tests were coming up more like 650/650 and latency around 4ms/10ms. Maybe better right after a fresh reboot, but not for long after.

I think the advice for a SG-3100 user is to run as vanilla a config as you can, and no unnecessary packages... I was running some accounting/reporting packages at first (ntopng, darkstat, bandwidthd) and I think even just that was putting too much load on.

SG-5100 is a big step up in price, but I think it's reflective of the performance increase.

Cheers.

Burner27

@tjcooks4829. I have to agree with you about the SG3100 not being up to the task. Am glad I’m not the only one experiencing those random reboots while running snort. I had the same issues running Suricata, so I would have to go up to the SG5100 as well to resolve my issue. Although I did speak with bmeeks in this thread and we agreed there is no need to run snort or suricata unless I am hosting thing behind it. Right now I am only running pfblockerNG-dev to block ads and geoip which seems to have minimal impact on the hardware. My average ping is 13ms whereas the previous device I was using was always sub 10ms using the same connection. I am very tempted to repurpose an old haswell-ep machine for pfsense.

tjcooks4829

@Burner27 I'm not sure I agree that there's no reason for a home user to run IDS/IPS. The main use case being it will detect (and block, if so configured) outbound traffic from a compromised machine on your network.

One more layer of protection -- definitely a layer of last resort, but really useful. Ransomware is really rampant and on the rise, and running frequently updated signatures on Snort can catch emergent threats, whether or not your family has turned off their annoying virus protection. ;-). Cheers.

Luketa

@Burner27 I have an SG3100 running pfBlocker with GEO IP + Snort on the 2 WAN and I have 4 separate VPNs, on average I get 12 users connected simultaneously.
Until it slows down, but between 3 to 8 days it restarts, like @Burner27 commented, I realized that when I used it without pbfblocker and snort, it never restarted.
I thought it was temperature as @tjcooks4829 also commented, but it's not, because he's in a UPS and a room with reduced air conditioning, I believe it's a lot for his own capacity.
I'm on version 2.4.1-p1, when it came out to 21.01 I researched it and found that there were a lot of errors I ended up leaving. I saw that it's already at version 21.05 I'm working up the courage to update.
in summary I think the SG3100 is pretty overloaded for what I use, but unfortunately now I can't buy an SG5100.

greetings

Luketa

removed auto update from snort and pfblcoker. I will monitor if without autoupdate the reboot will stop

Burner27

I am not sure where a i read it, but it was mentioned the code for pfSense is 64bit and running it on a 32bit CPU like the SG3100 has inside it has been 'challenging'. I have since moved away from my SG3100 in favor of a device that is more robust. Not saying I dont have any issues, but I have fewer issues running it now on the new hardware.

Luketa

@burner27 I intend to switch to the SG5100 in the future