Configuring Suricata IDS/IPS on an OpenWrt router?
Configuring Suricata IDS/IPS on an OpenWrt router?
I want to configure IDS/IPS systems, starting from scratch but needing extra protection. I currently have a TP-Link TL-MR3420 router that’s sitting idle and was recently updated with OpenWrt from the provided link. The primary router connected via ONU is a Tenda. I attempted to install Suricata and its dependencies on Windows, but it didn’t function well and requires constant Docker usage. I’m considering adding Suricata filter lists or rules directly in the OpenWrt TP-Link router, while keeping the main Wi-Fi/optical connection with the Tenda active. So essentially, can I run ONU>tenda(wifi)>tp link(desktop) on the router?
If your TP-LINK model is linked to the provided URL, it appears to have limited memory capacity. It may not support heavy workloads effectively. Consider using Suricata in a PFSense/OpenWrt x86 virtual machine (via VMware, VBox, or Hyper-V) on your PC for better performance.
What do you think about the resource demands? With an i5 4570 and 16GB RAM, can it handle continuous use? I had trouble getting the Docker setup to work, but I'm looking for a simpler method. Also, how would that look on Windows?
I don't really require a firewall at home, but I've tried running pfsense x86 in VMware before for home lab testing. I think using the suricata plugin with pfsense should not consume more than 2GB of RAM, though that's just my guess.
32MB RAM on tplink is simply insufficient.
I'm not sure how you configured Docker on your Windows PC? Are you using Hyper-V? I don't think running an OpenWrt or PFSense VM on a PC will be very demanding. Your 4th generation Intel 16GB PC definitely has enough power to run a pfsense/openwrt VM.
Hyper-V seems to me to be a poor choice; consider using VMware Workstation instead.
I'm not certain if you're still using an HDD for your PC, it's better to use an SSD now.
I previously used VMware with a virtualized operating system, but it wasn't very smooth for my work. Are you recommending installing the OS on the VMware and then configuring IPs/IDs? Wouldn't that add even more resource strain? Or are you only referring to the IPs/IDs dependencies in VMware? Also, do both Hyper-V and Docker use Intel virtualization, so is the resource usage similar? Your SSD claim is also pending.
You didn't address the question about the necessity of suricata. Also, your method of running Docker wasn't specified—didn't you use Docker Desktop on Windows? I assume Microsoft has deprecated Docker desktop? Did you run Docker via a Hyper-V VM or WSL 2? All these options use AMD/Intel virtual tech, which doesn't seem to make much difference here. You often run a router/firewall VM in the background. Since you haven't installed suricata before, I can't say how resource-intensive it is. However, what I found on Reddit suggests this:
https://www.reddit.com/r/PFSENSE/comment..._suricata/
A slow HDD might be the cause of your issues. Once you switch to an SSD, performance should improve significantly.
You have one huge issue with your plan even if you find a way to get software loaded on a old router.
Currently the way even the cheapest router does NAT is to use a hardware accelerator function that bypasses the cpu. This is how a cheap router can pass 1gbit of traffic wan/lan. If you turn off that feature all the traffic must now pass through the cpu chip and you only get maybe 200-300mbps on the fastest router cpu chips. Many run much less, many well under 100mbps.
Although some versions of open source router software have the driver need to access part of this accelerator function it does not solve the problem when you are running a firewall. When you run a firewall the cpu chip must see the packets so you can not use this bypass feature even if it is supported. This means just turning on the firewall with no rules at all will greatly drop the performance because the cpu is now doing NAT. When you start running firewall rules it increases the cpu load and decreases your total throughput.
If this is something to learn and play with this type of software I guess it is a option. There really is no need for any kind of firewall or IDS in a home network.
The NAT function alone is the same as a firewall rule that says deny all incoming traffic from a unkown source. This alone protect all your internal machines from any direct attacks. The only time you really would need a firewall is if you were running some kind of server where you need to allow traffic from unkown source to talk to the machine. Key here though even if you have a firewall the security on the server itself is far more important. Pretty much it is not cost effective to run your own server. Everyone is now using cloud based virtual servers and these have firewall function as part of the package.
If you care about security, then why opt for outdated firmware from 2019? A contemporary version would offer installable packages for all the host files, firewall or adblocking tools you might need. However, if your goal is to actively intrude and detect threats, it will demand significantly more CPU resources, especially in a system with multiple network interfaces like the one described (with several NICs) using a wired router. You could instead convert your current routers into access points.
As with Snort, Suricata is mainly designed for Linux, while the Windows version receives less focus.
Additionally, many people just need to manage what they already possess.
Based on the image shared, I recommend adding a note about cable management and cleaning.
Whether for small or large systems.
This aligns with standard "best practices" and helps maintain order.
Sometimes "working" happens because devices, connectors, cables, etc., are misplaced and out of place.
It also leads to confusion and errors during tasks.
These issues can result in various complications.
Take a few moments to sort everything out.
Inspect everything for signs of damage, twists, pinching, bent pins, and similar problems.
Remove possible sources of trouble before they become problems.
need the extra security thats all. ( there are lot of reasons but i rather not say what they are )
i think i ran the docker through wsl2 also i tried following this guide
https://letsdefend.io/blog/how-to-instal...on-windows
but couldnt get it to work and for the docker image, i tried evebox/suricata/elastisearch/- and all its dependecies , heres the link
https://github.com/jasonish/evebox
also couldnt get it to work, but it did took up almost 5-10gb of space on the ssd, i coudnt find any detailed tutorial about setting this up on windows and from the searches it appears surucata/snort are not very windows friendly